[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] IdP initiated SSO and RelayState
> The standard recommends to use some unguessable value as "RelayState". Not unguessable, just opaque. I don't recall any language about it being unguessable. The ID itself has specific requirements for uniqueness that are specifically targeted at replay. > Thus, while the client can freely manipulate the value, it should be > difficult by a third party to guess the correct "RelayState" value > and provide appropriate content in the assertion for the guessed value - > apart from replaying such an assertion - which can easily be prevented > by invalidating a relay state value as soon as a response for it > arrives. That isn't necessary, the ID is already there for this purpose, and people use RelayState in ways that are totally unsuitable for this. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]