[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Question about Subject of a SAML assertion
Hello, I've a question about the Subject element of an Authentication Assertion. An user ``A'' is sitting in front of a service client SC. She wants to obtain an assertion from an IdP, using WS-Trust. The service client is trusted by some meanings by the user (for example X509 certificates), and the user is trusted by the service client because he knows his password. Now, the communication with the IdP is in place and the IdP authenticate the user, for example, and creates the new SAML assertion. The subject of the SAML assertion is the user ``A'', there are no meanings for the third service (the assertion consumer) that the user A is sitting on the service client SC, in the SAML assertion. What happens if a valid service client SC' (valid for the network, I mean), with a valid user A', obtains the token? Can he impersonate A on SC? How to put the identity of SC in the SAML token? Let's imagine a token signed, with the Bearer subjectConfirmation. Thanks, Massimiliano ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]