Shibboleth Developers

[Peter Williams <>]

If I the SP send a request with ForceAuth=true, and the IDP sends me back an 
uncorrelated signed unsolicited response (formally), I really have no 
assurance that the IDP performed the forceAuth requirement.

One IDP vendor's system I'm talking to via a discovery relay might (unlike 
shib) just ignore (for all I know) my signed inbound request parameters, 
decide its going to mint an unsolicited request, and do all that WITHOUT 
having performed the forceAuthn.

I the SP are really unaware of which conforming path the IDP chose.

I cannot decide whether the root cause flaw is in the conformance design for 
SAML2 or Shib IDP (or the notion that an SP can be entirely stateless).

-----Original Message-----
From: Scott Cantor 
[mailto:]
Sent: Tuesday, October 14, 2008 7:12 AM
To: 

Subject: RE: [Shib-Dev] Writing an IDP extension

> What do you know! Just found a vulnerability in the "NAR toolkit" - that
is
> based on opensaml2. It too accepts an unsolicited response "returned" in
> response an authentication request [indication].

That isn't a vulnerability, unless you're maintaining state associated with
the Request ID that you then "assume" to be in effect when processing the
response. The SP for example doesn't do that.