idp.session.consistentAddress and real security implications.

Cantor, Scott cantor.2 at
Mon Apr 25 14:00:51 EDT 2016

> We do external authn and have gotten hit with this on the return to the IdP.

That would imply that the container session is itself unsafe. In which case, yikes, but additionally, it probably doesn't matter all that much whether you bind this cookie if that one isn't.

The IdP's session doesn't come into play at all for external authn (in V3).

-- Scott

More information about the users mailing list