Disable replay policy for one relying party
N.Howes at warwick.ac.uk
Tue Mar 6 10:45:35 EST 2018
Thanks Scott - your explanation makes sense. In the end we've managed to teach the loadbalancer to fix the root issue in ADFS, so the browser will only make the one request.
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: 06 March 2018 15:16:47
To: Shib Users
Subject: RE: Disable replay policy for one relying party
> Ideally ADFS would send better cache headers but am looking into this in
> case that's not possible, since its AuthnRequest isn't signed so I don't think
> there's any danger in allowing a replayed request.
It's not about danger, it's about trapping somebody that hits the back button into artifically repeating a login, which I consider the worst possible outcome.
There is no exposed support for it. Various undocumented changes to the system can do it, but nothing supported and definitely nothing per-RP.
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users