[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: destination-side enforcement of one-time artifact use
In the Toronto F2F minutes (and in the current draft of the SSTC Response to Thomas Grosz's paper) we state that we plan to add destination-side enforcement of one-time artifact use. I believe this text is currently absent from Section 4 (SSO Profiles of SAML) of profiles-cd-01a. I propose the inclusion of the following text in Section 4.1.4.4): The service provider MUST ensure that an artifact value is not replayed. This may be achieved by maintaining a table of artifact values. Artifact values need only be entered into the table for the period of time during which the corresponding assertion (i.e., assertion obtained by dereferencing the artifact) is valid.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]