OpenSAML user discussion

["Scott Cantor" <>]

> A SAML Assertion does not include a Shared Secret with which the
> holder of the assertion (the user) can assert real-time possession.
> In other words, generally the assertions are single-use (unlike
> Kerberos tickets which are multiple use) and you handwave around the
> potential attacks by using SSL and assuming that someone on the
> network can't grab your packets, read your assertion, and replay the
> message before the original message gets to the SP.

That's true in the browser profiler, not of SAML in general. SAML supports
subject confirmation via shared secret, there just aren't any common uses of
it at the moment. Public key confirmation is more common because the use
cases are often such that shared secrets don't scale.

It's not terribly hard to build something that looks a lot like a Kerberos
ticket using things like subject confirmation, audience conditions, etc.,
but it's not clear why you'd want to reinvent Kerberos. Particularly since
Kerberos at least *has* an API (even if it sucks) while with SAML you'd be
building the whole stack from scratch.

-- Scott