shibboleth-dev - RE: Final Working Draft 01 of HoK Browser SSO
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Cc: "'Toshiyuki Kataoka'" <>
- Subject: RE: Final Working Draft 01 of HoK Browser SSO
- Date: Wed, 12 Mar 2008 11:10:43 -0400
- Organization: The Ohio State University
> I think the interesting difference is that in the classical artifact
> model the SP only authenticates the assertion that it resolves, not the
> transport used to deliver the artifact. SAMLBindings 3.6.5.2 (Security
> Considerations) states that '[t]he transmission of an artifact to and
> from the user agent SHOULD be protected with confidentiality' but makes
> no recommendation regarding authentication.
Just to clarify...the reason you're confused by the text on this is that
bindings are not profiles. You can use artifacts to deliver messages that do
not need to be authenticated (an AuthnRequest for example), and/or use a
signature in lieu of the binding being authenticated.
Profiles will indicate whether a given message MUST be authenticated, and
will usually note that it can be done via binding or message signature. I
believe the SSO profile notes this.
This is a consequence of the layering of the spec, and to understand any
given profile, you start with that profile and work your way down.
-- Scott
- RE: Final Working Draft 01 of HoK Browser SSO, Josh Howlett, 03/12/2008
- Re: Final Working Draft 01 of HoK Browser SSO, Nate Klingenstein, 03/12/2008
- Message not available
- RE: Final Working Draft 01 of HoK Browser SSO, Josh Howlett, 03/12/2008
- RE: Final Working Draft 01 of HoK Browser SSO, Scott Cantor, 03/12/2008
- RE: Final Working Draft 01 of HoK Browser SSO, Scott Cantor, 03/12/2008
- Message not available
- RE: Final Working Draft 01 of HoK Browser SSO, Josh Howlett, 03/12/2008
- RE: Final Working Draft 01 of HoK Browser SSO, Josh Howlett, 03/12/2008
Archive powered by MHonArc 2.6.16.