Mapping requests to responses
Cantor, Scott
cantor.2 at osu.edu
Tue May 24 23:43:18 EDT 2016
On 5/24/16, 11:31 PM, "users on behalf of Nate Klingenstein" <users-bounces at shibboleth.net on behalf of ndk at sudonym.me> wrote:
>Thanks for the confirmation. One last question: why not implement any of that?
It didn't exist in SAML 1.1, and IdP-initiated SSO was a required feature in SAML 2. The only feature that correlation can provide that can't be accomplished some other way is XSRF protection, and that's only possible to get if you disable IdP-initiated.
I would like to do it, but I have approximate 600,000 other things to do right now and I haven't studied the problem enough to know how to implement it properly. Since the SP doesn't have a way to generate tamper-proof cookies, it's not exactly self-evident. Somehow I doubt adding yet another key to the mix is going to be a popular idea with anybody.
-- Scott
More information about the users
mailing list