N.Howes at warwick.ac.uk
Sat Dec 8 07:42:07 EST 2018
External flow does sound like a good starting point. Did think a bit about signatures but not sure if it'd prevent a malicious party from copying the signature from another request. But if the External flow has a chance to compare the values when it returns to IdP then it may be able to protect against that.
I'll take a look at the Shib-CAS-Authn3 project for inspiration.
Get Outlook for Android<https://aka.ms/ghei36>
From: users <users-bounces at shibboleth.net> on behalf of Peter Schober <peter.schober at univie.ac.at>
Sent: Friday, December 7, 2018 4:31:33 PM
To: users at shibboleth.net
Subject: Re: Securely passing
* Michael A Grady <mgrady at unicon.net> [2018-12-07 17:21]:
> Yes, Unicon's Shib-CAS-Authn3 extension for the IdP (using a
> separate CAS Server for the authentication) uses that
> ExternalAuthnConfiguration method, and indeed does pass the SP
> entityID across. so that can be done as Peter notes.
I'm guessing if one was concerned about the authenticity of such
parameters one could add another parameter with a checksum or
signature, since the code on both sides (the component running within
the IDP, the external authentication service) would need to be custom
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users