OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Commented: (SECURITY-6) PE: Conflict withcore in SSO profile on returning error Responses to SP

    [ http://tools.oasis-open.org/issues/browse/SECURITY-6?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18335#action_18335 ] 

Ari Kermaier commented on SECURITY-6:

I'm skeptical about the proposition that SAML 2.0 Profiles should be helping deployers to coerce implementers into providing a product "feature" that raises obvious security issues. I think that should properly be within the scope of a particular federation/community's deployment/interop/UX guidelines, which implementers can choose to accept as product requirements if they want that community's business, rather than the Profiles spec.

And, IMO, if we insist on adding language that blurs this distinction to the effect of introducing new security considerations, we're obligated to point them out. For example, a MITM who alters the AuthnRequest to include a bogus AssertionConsumerService URL, can force redirection to a rogue SP without the user's awareness, after which the user's authentication interactions are with untrusted providers.

> PE: Conflict with core in SSO profile on returning error Responses to SP
> ------------------------------------------------------------------------
>                 Key: SECURITY-6
>                 URL: http://tools.oasis-open.org/issues/browse/SECURITY-6
>             Project: OASIS Security Services (SAML) TC
>          Issue Type: Bug
>          Components: Profiles
>    Affects Versions: Version 2.0
>            Reporter: Scott Cantor
>            Assignee: Scott Cantor
>            Priority: Minor
>             Fix For: 2.0 incorporating Approved Errata
> Section of Core states that "The responder MUST ultimately reply to an <AuthnRequest> with a <Response> message..." regardless of success or failure.
> Section of Profiles reads "Regardless of the success or failure of the <AuthnRequest>, the identity provider SHOULD produce an HTTP response to the user agent containing a <Response> message...".
> The conflicting language should be clarified, without imposing the impossible requirement for an IdP to guarantee a response, but to encourage implementers to favor responses and/or provide options to ensure that.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]