shibboleth-dev - RE: [Shib-Dev] idp-initiated SSO
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: [Shib-Dev] idp-initiated SSO
- Date: Fri, 17 Oct 2008 14:59:29 -0400
- Organization: The Ohio State University
> I thought (f) was merely an expression of what Nate was pointing out in
his
> simulation-of-idp-initiated "trick"!!
No, not at all. It's how you fool the IdP into sending a response and hope
that the SP in question doesn't check InResponseTo. It will not result in
that attribute being omitted. The Shibboleth SP doesn't check it, but others
might, so in general, it's probably not a great idea. In hindsight I'm sorry
I didn't point that out.
> It was little more than an afterthought, designed to codify his trick.
Acted
> like a test to ensure that the definitions could deal with the outlier
case,
> too.
See above. Codifying his trick does not make the sender of that request a
third party in the formal sense of getting around the InResponseTo problem.
The IdP simply assumes that the requester in ALL cases is the SP. I guess
that's the best way to answer all this. Right now, that's just how it
behaves.
> Can Shib SP handle multiple assertions in a response? (or perhaps, better,
> is an array of n>1 assertions a part of the security concept of Shib?)
The SP handles any number of assertions, provided they follow the profile,
which in this case means they all must share a common subject.
You may find that not many SPs will handle more than one. They certainly did
not in the past.
-- Scott
- RE: [Shib-Dev] idp-initiated SSO, (continued)
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Jeff.Krug, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- Message not available
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Peter Williams, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Peter Williams, 10/17/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/17/2008
- RE: [Shib-Dev] idp-initiated SSO, Peter Williams, 10/17/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/17/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/17/2008
- RE: [Shib-Dev] idp-initiated SSO, Jeff.Krug, 10/07/2008
Archive powered by MHonArc 2.6.16.