[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] ECP profile question
> > It seems like this example would still require the ECP to send a SOAP > > fault response to the service provider. No? > > I haven't looked closely at it, but if they don't match, it's wrong. I believe it is wrong so we should probably re-open that errata item. > > Why have the AssertionConsumerServiceURL at all? Why not just have the > > ECP always deliver the response to the responseConsumerURL? > > The IdP is the one who knows where it's authorized to send PII about the > user to a given provider. The client typically is deferring this to the > IdP > in order to keep it minimal (but with the usual privacy costs). > > The cross-check itself is to block a MitM attack where somebody intercepts > the SP's response and redirects the ECP to tell it to send the response to > it. The IdP has the metadata and the ECP authenticates it, so it knows if > it's being told to send the response elsewhere, something's wrong. Fair enough.