Re: [saml-dev] how to verify the sender of a SAML authn request

saml-dev message

Subject: Re: [saml-dev] how to verify the sender of a SAML authn request

From: Mitu Singh <mitusingh27@yahoo.com>

To: "Cantor, Scott" <cantor.2@osu.edu>, "saml-dev@lists.oasis-open.org" <saml-dev@lists.oasis-open.org>

Date: Thu, 1 Aug 2013 15:59:03 -0700 (PDT)

Thanks Scott for your response.

I looked at the saml-profile document. For Web SSO Profile (Section 4.1.4.1 <AuthnRequest> Usage) "The <Issuer> element MUST be present and MUST contain the unique identifier of the requesting service provider

So the Issuer will help identify the sender in case of WebSSO profile. Is that correct?

Thanks!

From: "Cantor, Scott" <cantor.2@osu.edu>
To: Mitu Singh <mitusingh27@yahoo.com>; "saml-dev@lists.oasis-open.org" <saml-dev@lists.oasis-open.org>
Sent: Thursday, August 1, 2013 3:12 PM
Subject: Re: [saml-dev] how to verify the sender of a SAML authn request

On 8/1/13 5:44 PM, "Mitu Singh" <mitusingh27@yahoo.com> wrote:
>
>I have a question regarding the SAML Authentication Request. When an IDP
>receives a SAML authentiocation request, how can they validate the sender
>of the request? The issuer name, provider name,
>AssertionConsumerServiceURL and the signature are all optional.

They aren't optional in the context of specific profiles.

-- Scott