The problem with IDP initiated SSO
Cantor, Scott
cantor.2 at osu.edu
Tue Dec 23 11:34:08 EST 2014
On 12/23/14, 4:17 PM, "federator" <wpadmin at identiainc.com> wrote:
>I assume the term "interoperability" refers to SSO. If that the case,
>as long as all SP's accept the same standard SAML response format,
>interoperability shouldn't be an issue.
Except for the first message to the IdP. Try defining that one
interoperably. There is no such thing as IdP initiated SSO, that's the
point. There is always a request message. The term "IdP initiated SSO"
describes a profile in which the request message is undefined and the
response is standardized. That was how SAML 1.1 worked. You can ask
anybody that's been part of this community since before SAML 2.0 how much
fun that all was.
>XSRF can occur anyhow when cookies are used for maintaining sessions.
>Better to use HTTPS for prevention...
There is no channel binding in HTTPS with browsers, so you can't, not
unless you use client certificates that are being bound to the session by
the RP. Not even certificate authentication to the IdP is sufficient.
The use of cookies can prevent the specific form of XSRF that the SAML
flow is vulnerable to, though not others. But only if IdP initiated SSO is
explicitly prohibited by the SP.
-- Scott
More information about the users
mailing list