[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] AssertionConsumerServiceIndex vs. AssertionConsumerURL
Just a final clarification, I think we should add some verbage around the AssertionConsumerURL element along the lines of: The IdP MUST verify that the URL is within the control of the provider for whom the Assertion is being requested. This can take the form of requiring that the provider sign the request, or some other means outside the scope of this specification. Conor Conor P. Cahill wrote on 8/26/2004, 12:14 AM: > > > Scott Cantor wrote on 8/25/2004, 2:51 PM: > > > Right. See lines 548-549 of CD SSO profile, and related text later on. > > It's clear that whatever the potential use of the attribute, this > > profile calls out placing the URL there, whereas the entityID of the > > SP is in the Audience, as in ID-FF. > > Upon some thought I think we should rethink this model of protecting > the assertion by using the <Recipient> subject confirmation to list the > delivery URL for the assertion. > > While this does help protect the security environment by telling the > SP to not accept a token if presented on a different URL, it does NOT > protect the potential leaking of information by the presentation of > an assertion for the subject to an incorrect party. > > The information contained within an assertion does have privacy related > information and we need to ensure that the IdP does not deliver the > assertion to a party which shouldn't get it. > > > Conor > > > > > To unsubscribe from this mailing list (and be removed from the roster > of the OASIS TC), go to > http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php. > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]