Consequences of Permitting SAML NameID to Subject Mapping
serac at vt.edu
Fri Aug 10 08:19:41 EDT 2018
We have run into a problem with a relying party that is sending a requested
NameID in SAML AuthnRequests:
nobody at vt.edu</saml:NameID>
I'd never seen this before, and frankly didn't even know it was a supported
capability of the SAML 2 spec, but I was able to convince myself it made
sense on further consideration. Upon reviewing configuration and docs 
to enable support for it, the defaults were so conservative that I wanted
to make sure I understand the consequences. My intention is to allow
mapping SAML NameIDs to subjects for a relying party group that includes
SPs that are highly trusted (i.e. paying customers, legal contracts).
That's simply a more manageable way than explicitly listing SPs per the
default configuration template.
What's the risk of allowing this reverse lookup?
Marvin at Virginia Tech
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users