OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] IdP initiated SSO and RelayState

> The standard recommends to use some unguessable value as "RelayState".

Not unguessable, just opaque. I don't recall any language about it being unguessable. The ID itself has specific requirements for uniqueness that are specifically targeted at replay.

> Thus, while the client can freely manipulate the value, it should be
> difficult by a third party to guess the correct "RelayState" value
> and provide appropriate content in the assertion for the guessed value -
> apart from replaying such an assertion - which can easily be prevented
> by invalidating a relay state value as soon as a response for it
> arrives.

That isn't necessary, the ID is already there for this purpose, and people use RelayState in ways that are totally unsuitable for this.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]