[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Token binding
> I am not against the channel binding extension. I started out sort of pushing it, now I'm leaning more toward just treating it as the obvious thing, a HoK SC, and getting on with it. > In general the SP won’t know at the start of a SP initiated flow what the > token binding ID is for the IdP, so it will be difficult to put that in a signed > request. I wasn't really expecting we'd bother trying to bind requests, but if that's a desire, that would have to be done with the extension I think. > You could put the token binding ID for the SP in the signed request and then > compare that to the referred token binding ID. > That would have some value over just using the referred value, but I suspect > people are as likely to do that as sign requests:) I seem to be running into signed requests more and more for whatever reason. > The main SSO use case is for SP initiated where the SP includes a HTTP > header to the browser that causes the browser to include the token binding > ID for the SP in the token binding header sent to the IdP. That was the main goal I had. > One way or another we will need to document something like a new SSO > profile I suspect. Probably so. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]