Consequences of Permitting SAML NameID to Subject Mapping
Marvin Addison
serac at vt.edu
Mon Aug 13 13:38:56 EDT 2018
On Fri, Aug 10, 2018 at 4:47 PM Cantor, Scott <cantor.2 at osu.edu> wrote:
> > What's the risk of allowing this reverse lookup?
>
> Nothing really unless you allow Attribute Queries, then it provides direct
> access to whatever data is released to that SP based on that ID. You can
> think of it like a pseudo-token that effectively authorizes access to
> attributes about that subject.
>
Thank you for clarifying that, which is exactly what I was wondering. In
our particular case where we scope to trusted relying parties, that risk is
acceptable.
Best,
M <users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180813/6237755f/attachment.html>
More information about the users
mailing list