OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Token binding

> I am not against the channel binding extension.

I started out sort of pushing it, now I'm leaning more toward just treating it as the obvious thing, a HoK SC, and getting on with it.

> In general the SP won’t know at the start of a SP initiated flow what the
> token binding ID is for the IdP, so it will be difficult to put that in a signed
> request.

I wasn't really expecting we'd bother trying to bind requests, but if that's a desire, that would have to be done with the extension I think.

> You could put the token binding ID for the SP in the signed request and then
> compare that to the referred token binding ID.
> That would have some value over just using the referred value, but I suspect
> people are as likely to do that as sign requests:)

I seem to be running into signed requests more and more for whatever reason.

> The main SSO use case is for SP initiated where the SP includes a HTTP
> header to the browser that causes the browser to include the token binding
> ID for the SP in the token binding header sent to the IdP.

That was the main goal I had.

> One way or another we will need to document something like a new SSO
> profile I suspect.

Probably so.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]