[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Authentication Response IssuerName vs. Assertion IssuerName
> Hi, I noticed that the IssuerName is not a MUST for a Response. Issuer, you mean? No, it's optional because I guess people aren't as convinced as I am that it's madness not to do this uniformly. One of SAML 1.x's biggest weaknesses IMHO was lack of Issuer in the protocol layer. It screwed us up repeatedly. It also caused Liberty to sprinkle ProviderID elements all over the place. > However, for an unsolicited Response, this makes handling > EncryptedAssertion elements whose decryption certs are > exchanged via metadata (and not in the Response) more > difficult or impossible. I.e., if KeyName/X509SerialNumber is > not part of the EncryptedAssertion, how would you know which > descryption key to use? It screws up signing too, since you have to derive the responder from the certificate and that's just not the easiest direction to go in, IMHO. > Am I missing something here? Should IssuerName be required > in the Response to avoid these types of issues? I think the party line is that I was able to require use of Issuer in all the profiles I wrote, so the fact that it's technically optional in core doesn't matter that much. If somebody finds a good use for not including an Issuer, so be it. If I missed a spot in profiles, that's an errata. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]