Securely passing
Howes, Nick
N.Howes at warwick.ac.uk
Sat Dec 8 07:42:07 EST 2018
External flow does sound like a good starting point. Did think a bit about signatures but not sure if it'd prevent a malicious party from copying the signature from another request. But if the External flow has a chance to compare the values when it returns to IdP then it may be able to protect against that.
I'll take a look at the Shib-CAS-Authn3 project for inspiration.
Thanks both!
Get Outlook for Android<https://aka.ms/ghei36>
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Peter Schober <peter.schober at univie.ac.at>
Sent: Friday, December 7, 2018 4:31:33 PM
To: users at shibboleth.net
Subject: Re: Securely passing
* Michael A Grady <mgrady at unicon.net> [2018-12-07 17:21]:
> Yes, Unicon's Shib-CAS-Authn3 extension for the IdP (using a
> separate CAS Server for the authentication) uses that
> ExternalAuthnConfiguration method, and indeed does pass the SP
> entityID across. so that can be done as Peter notes.
I'm guessing if one was concerned about the authenticity of such
parameters one could add another parameter with a checksum or
signature, since the code on both sides (the component running within
the IDP, the external authentication service) would need to be custom
anyway?
-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181208/4553fa6f/attachment.html>
More information about the users
mailing list