Shibboleth Developers

[Leif Johansson <>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> But regardless, if you're not implementing it in the authn service
> then you might as well not implement it at all.  If I'm an attacker
> I'm just going to beat on the service that lets me then use the
> password on any service I want.
> 

That depends entirely on your deployment. For instance it is common
for ADs to be firewalled into a corner which makes it impractical to
attack it directly. The IdP may be one of the few ways an account can
be subjected to an offline attack.

> Now, you could claim that the IdP is, in fact, the authn service in
> your organization and so is the appropriate place for you to implement
> something like this.  But that is very rarely the way people actually
> deploy the IdP (though a few people do).

We're seeing an increasing number of deployments where the IdP is the
SSO and is the only publicly reachable poc with the authn system. You
might argue that an IMAP service (say) also presents a target and we
will probably need to make sure that (for instance) notifications about
account locks/expriations is available to the IdP. I don't know how this
affects your architecture for v3 though...

        Cheers Leif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3l5CkACgkQ8Jx8FtbMZnem+ACgtsdqvyWGnBgIdxKQR010nQ94
WUIAn1lFIsa0bMrg9+ioTQdqFZ19syAC
=iysO
-----END PGP SIGNATURE-----