web-based-single-sign-on-and-the-dangers-of-saml-xml

Cantor, Scott cantor.2 at osu.edu
Tue Dec 10 18:44:37 EST 2013


On 12/10/13, 6:18 PM, "Bryan E. Wooten" <bryan.wooten at utah.edu> wrote:

>Thanks for the reply Scott.
>
>Just curious. Doesn't the Shib SP use OpenSAML? How was this issue
>avoided? The whole topic of XML exploits is new to me.

The SP is in C++, not Java, and the settings involved are entirely
different. Since the parser is by definition fixed and non-portable, the
settings that limit many attacks are directly in the library because
there's no reason for them not to be.

I also have no sample code, and I'm not focused on producing a library for
others to use, it's for the SP to use.

-- Scott




More information about the users mailing list