The problem with IDP initiated SSO
Stefan Rasmusson
rasmusson.stefan at gmail.com
Fri Dec 26 06:10:30 EST 2014
Ok, so you can force a user to be signed in to a back account that you have
valid credentials for. Any idea what this attack can be used for? Or is it
just a general problem that you are able to make the user do that?
--
Stefan
On 23 December 2014 at 15:55, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 12/23/14, 1:25 PM, "Tom Scavo" <trscavo at gmail.com> wrote:
> >>
> >> It's also a XSRF attack by definition.
> >
> >Wouldn't user consent effectively thwart that issue?
>
> Not in the way that the attack would normally work here. What's unusual
> about this kind of XSRF attack is that it involves a user giving a valid
> response to a *different* user. That is, I log in via a request from my
> banking service and give your client the response so that you're logged
> into my bank, but you think you're logged into yours.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20141226/db0e52fe/attachment.html
More information about the users
mailing list