Skip to Content.
Sympa Menu

shibboleth-dev - Re: Shibboleth Service Provider Security Advisory [14 December 2004]

Subject: Shibboleth Developers

List archive

Re: Shibboleth Service Provider Security Advisory [14 December 2004]


Chronological Thread 
  • From: "Oleksandr Otenko" <>
  • To: Scott Cantor <>
  • Cc: 'Tom Scavo' <>,
  • Subject: Re: Shibboleth Service Provider Security Advisory [14 December 2004]
  • Date: Thu, 16 Dec 2004 11:23:31 +0000

Scott Cantor wrote:

...(and that is why I assumed that the Target uses the same approach).
(and that is why our software also makes the same assumption - if "@whatever" is present, its a scope domain)


You can never make such a decision without knowledge of the attributes.
Nothing we ever imposed could ever apply without regard for the specific
definition of the attribute.

You might consider (from what I know of your project) consuming the SAML
directly and not relying on the strings. Those are, essentially, a lossy
format. In this particular case, without knowing the attribute definition,
you can't know whether something is scoped only by looking at the string.
Simply can't be done (e.g. email address), and it's not a limitation I
created.

You can, however, tell by looking at the XML. It all depends on what you're
trying to do, but I think this is all separate from how I did or didn't
choose to map a directory string of
value@domain
to XML and back. The fact
that it's a two-part value is part of the attribute's definition, not based
on the arbitrary presence of an @ sign.

In fact, the use of the attributes in our project is somewhat different: Shibboleth is supposed to transport and interpret any attributes that the users might like to use, but in PERMIS we tell the users what attributes should look like :-) so only if the attribute syntax conforms to what we require will it make sense to our authorisation engine.

In other words, you are trying to fit your code to use the attributes that the people already have, but in our system we tell the people what attributes we agree to use :-) Well, the users do have choice, but we don't think it will harm if we mandate that the "@" sign shouldn't be used in the attribute values irresponsibly.

I don't think we would like to parse SAML - that would introduce more delays; I think we will be happy with using the string attributes, and mandate the meaning of the "@whatever" in our system.


Sassa

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page