RE: [security-services] AssertionConsumerServiceIndex vs. AssertionConsumerURL

["Scott Cantor" <cantor.2@osu.edu>]

> SSL isn't the issue.  Protecting the AuthnRequest is more about
> preventing a third party from submitting an AuthnRequest acting
> as a different provider.    If the URL isn't clearly protected,
> the 3rd party could say it was a provider and specify its own
> URL for the reponse, thereby getting a toke that it could use
> to act as the user at the provider.

That's not a threat in SAML (at least not precisely that one) because the
location to which the response can be delivered with the profile is in the
signed response ( though in 2.0, it's in the assertion's subject
confirmation data). This wasn't done in ID-FF because the POST profile there
forked off before it was addressed in 1.0.

The underlying issue in SAML is not about impersonation using the token by
the evil requester, which is prevented by this countermeasure. It's more
about delivering data in the response (such as attributes) to a location
that the IdP knows is associated with the SP, to insure privacy policies are
adhered to.

Your point is taken, though, I see how a signed request addresses the issue
I was thinking of.

-- Scott