Shibboleth Developers

["Scott Cantor" <>]

> If I the SP send a request with ForceAuth=true, and the IDP sends me back
an
> uncorrelated signed unsolicited response (formally), I really have no
> assurance that the IDP performed the forceAuth requirement.

Yes, you do, you look at the AuthnInstant.

> I cannot decide whether the root cause flaw is in the conformance design
for
> SAML2 or Shib IDP (or the notion that an SP can be entirely stateless).

The SP has nothing to do with it. Requesting forceAuthn and then correlating
a response proves nothing. You know you asked for forceAuthn. That's nice.
Means nothing. The only protection you have is to check the timestamp, which
is what I do (or the app can).

This is *aside* from the fact that any SP worth running is going to accept
unsolicited responses anyway, at which point it has no correlation to
perform and has to check the timestamp anyway.

-- Scott