Securely passing

[Howes, Nick]

Hi all,


Our v3 IdP delegates to our main proprietary login server through the RemoteUser flow. This works fine but the login server only knows that it's authenticating for the IdP and nothing about what relying party the IdP is servicing, so we can't make any business decisions on the login screen or even tell the user what they're signing in to.


Would there be a secure way of passing data such as the SP's entity ID to the login flow? It needs to be more secure than just passing in a parameter, to avoid an exploit where they pass an SP different to the one the IdP has in its relying party context, unless the IdP could be taught to complain if it got a non-matching value back. I'm open to changing which authn flow we use and writing custom stuff.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181207/97005632/attachment.html>