[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] AssertionConsumerServiceIndex vs. AssertionConsumerURL
Scott Cantor wrote on 8/25/2004, 2:51 PM: > Right. See lines 548-549 of CD SSO profile, and related text later on. > It's clear that whatever the potential use of the attribute, this > profile calls out placing the URL there, whereas the entityID of the > SP is in the Audience, as in ID-FF. Upon some thought I think we should rethink this model of protecting the assertion by using the <Recipient> subject confirmation to list the delivery URL for the assertion. While this does help protect the security environment by telling the SP to not accept a token if presented on a different URL, it does NOT protect the potential leaking of information by the presentation of an assertion for the subject to an incorrect party. The information contained within an assertion does have privacy related information and we need to ensure that the IdP does not deliver the assertion to a party which shouldn't get it. Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]