OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] AssertionConsumerServiceIndex vs. AssertionConsumerURL

Scott Cantor wrote on 8/25/2004, 2:03 PM:
 > That's not a threat in SAML (at least not precisely that one) because the
 > location to which the response can be delivered with the profile is in
 > the
 > signed response ( though in 2.0, it's in the assertion's subject
 > confirmation data). This wasn't done in ID-FF because the POST profile
 > there
 > forked off before it was addressed in 1.0.

So here's how it's an issue:

We have the following parties:

    * BadProvider - the guy who's being nasty
    * IdP - the good Identity provider
    * SP - the good Service Provider
    * Principal -

So, the Principal somehow browses to BadProvider... BadProvider submits
an AuthNRequest to IdP claiming he is SP and providing a consumerURL
that points back to a BadProvider managed location.   The IdP sends
the response back to BadProvider at this location (and in this case
we are doing a browser-post type operation, not artifact).

BadProvider can then act as a *browser* client of SP and submits the
assertion as a response to the consumer URL of SP and now SP will let
the BadProvider act as a bad guy on its site.

So, the IdP shouldn't use a consumer URL unless there is some reason
for it to trust it (either a signed request from a trusted party, or
because of some trusted metadata or some other such equivalent).


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]