Shibboleth Developers

[Scott Cantor <>]

> Well, we already have to assume time-sync between the target and
> the AA, so why not assume time-sync between the target and the HS?

There's no issue there, the origin and target in SAML by definition have
time sync. It's not specific to the AA. Adding the WAYF in is a stronger
requirement, but it's not a major one, and it's not essential to my goal
anyway.

> So, I don't think a timestamp is sufficient to perform loop detection.
> IMHO it would be "better" if there were some way the target could add
> some additional (arbitrary) data (e.g. a loop count) that goes into
> the redirect and then winds up back in the POST.  This means the WAYF
> and HS would need to handle the ancillary data properly.  I suspect
> this is "harder" to handle than your timestamp.

Liberty has a RelayState element which is used by the target to specify the
target resource, address state mgmt, and I suppose could be used to handle
this sort of thing.

But it's opaque to the source site (one reason being it hides the resources
the user is accessing from the IdP, which is something I screwed up), so it
can't be used to fix the Back button. So they are basically separate issues.
It just happens that I *really* need to fix the Back button now before this
system will be deemed usable by my community.

-- Scott