OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Trust in artifact resolution

Section 5.4.2 ("<ArtifactResponse> Usage") of SAML2Profiles states  
that "The responder MUST authenticate itself to the requester and  
ensure message integrity, either by signing the message or using a  
binding-specific mechanism".

I'm curious about the requirement to authenticate to the responder.

For example, imagine an SAML artifact format that carried a hash of  
the SAML message. The requester could verify post hoc that the  
resolved assertion was genuine by calculating the hash and matching  
this value to the value in the artifact.

This isn't authentication, but it provides the evidence that the  
requester needs (that it has obtained the SAML message from the same  
place it obtained the artifact).

If a binding where to use this mechanism, would this violate the  
requirement set out above?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]