IdP Initiated SAML and Man in the middle

Nate Klingenstein ndk at signet.id
Mon Jun 7 17:46:09 UTC 2021


> ​The fix for that was token binding, which Google proposed and then killed.

There is still the SAML holder-of-key profile if you can find a browser that can do mutual TLS authentication and an IdP and SP that have implemented it.  It's a longer shot.

https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso.html

--------
Signet, Inc.
The Art of Access ®

https://www.signet.id


More information about the users mailing list