Shibboleth Developers

["Scott Cantor" <>]

BTW, another data point is that IBM seems rather determined to prove that
artifact-based approaches are less secure, and I'm inclined to agree with
them. They've done analyses of both SAML 1.1 and 2.0 to demonstrate attacks
against the artifact profile/binding, but have not done so with POST.

Though I suspect the attacks aren't really more or less, just different, but
there is something a little shaky about sending references around on the URL
because of how many places URLs get logged/echoed in the web. Actually, SAML
2.0 allows artifacts to be sent via POST, so that itself makes a lot of the
comparisons different.

I also suspect it's rather immaterial when we're talking about applications
for whom "security" is currently defined in terms of IP addresses, shared
passwords, etc. Shibboleth can be applied to many problems of different risk
profile, and you're most likely at the low end. If you run apps today
without using TLS/SSL, for example, you've already pretty much punted on
real protection for sessions. SAML profiles won't be the attack vector for
apps like that.

-- Scott