Securely passing

Howes, Nick N.Howes at
Sat Dec 8 07:42:07 EST 2018

External flow does sound like a good starting point. Did think a bit about signatures but not sure if it'd prevent a malicious party from copying the signature from another request. But if the External flow has a chance to compare the values when it returns to IdP then it may be able to protect against that.

I'll take a look at  the Shib-CAS-Authn3 project for inspiration.

Thanks both!

Get Outlook for Android<>

From: users <users-bounces at> on behalf of Peter Schober <peter.schober at>
Sent: Friday, December 7, 2018 4:31:33 PM
To: users at
Subject: Re: Securely passing

* Michael A Grady <mgrady at> [2018-12-07 17:21]:
> Yes, Unicon's Shib-CAS-Authn3 extension for the IdP (using a
> separate CAS Server for the authentication) uses that
> ExternalAuthnConfiguration method, and indeed does pass the SP
> entityID across. so that can be done as Peter notes.

I'm guessing if one was concerned about the authenticity of such
parameters one could add another parameter with a checksum or
signature, since the code on both sides (the component running within
the IDP, the external authentication service) would need to be custom

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list