OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] ECP profile question

> It seems like this example would still require the ECP to send a SOAP
> fault response to the service provider.  No?

I haven't looked closely at it, but if they don't match, it's wrong.

> Why have the AssertionConsumerServiceURL at all?  Why not just have the
> ECP always deliver the response to the responseConsumerURL?

The IdP is the one who knows where it's authorized to send PII about the
user to a given provider. The client typically is deferring this to the IdP
in order to keep it minimal (but with the usual privacy costs).

The cross-check itself is to block a MitM attack where somebody intercepts
the SP's response and redirects the ECP to tell it to send the response to
it. The IdP has the metadata and the ECP authenticates it, so it knows if
it's being told to send the response elsewhere, something's wrong.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]