Shibboleth Developers

["Scott Cantor" <>]

> What is a concern however is the fact that authentication assertions  
> are still released.  So someone could very easily setup an  
> application and use our IdP to authenticate that user without 
> us ever knowing about it.

You know about it, it's logged as an anonymous provider. By definition you
don't know who that is, of course, and I doubt we log the requested ACS
endpoint.

> like we need is not just an "Attribute Release Policy", but rather an  
> "Assertion Release Policy".

That's what endpoint checking is, we just don't have an option to disallow
unidentified providers from being allowed. It's already going to be added
per the request of the Swiss among others.

I'd like to note that this basic aspect of SAML deployment (some products
don't allow anonymous requests) is viewed by some communities as a bad
thing, because it forces the user to be at the mercy of the IdP when it
comes to which services to access.

> I know there are a number of technical considerations to this and  
> concern?  Does this sound like something that may be more easily  
> addressed in Shib2 with the planned changes to the ARP structure?

It's not really an ARP issue, it's about the basic SSO flow and is already
built into SAML as part of the assertion consumer service concept. The IdP
is supposed to mediate endpoints for the user, and that includes the ability
to say no.

-- Scott