O365 auth bypass

Peter Schober peter.schober at univie.ac.at
Thu Apr 28 07:00:50 EDT 2016

* Cantor, Scott <cantor.2 at osu.edu> [2016-04-28 00:38]:
> >It could be applied to the attribute they are using. 
> I don't believe it was EPPN, was it?
> There aren't many identifiers that are scoped. EPPN and
> eduPersonUniqueID are it. You can't just take any attribute that
> happens to end in a domain and treat it that way, because the whole
> community needs to recognize that semantic for things to work well.
> The mail attribute for example is not scoped.

It was neither ePPN nor mail, it was "IDPEmail", something
not specified anywhere, esp. not specified as being scoped.

Even if it were the standard mail attribute, there'd be no reason and
no consensus to prohibit a given IDP from asserting email address
values with specific domain parts, e.g. gmx.net or hotmail.com.
There's no requirement for an organization running a SAML IDP to be
handing out email addresses in its own domain either.

More information about the users mailing list