Use HTTP verb in Service Provider request mapper

Cantor, Scott cantor.2 at
Thu Oct 21 14:00:26 UTC 2021

> Do you mean that there exists some kind of attack that could catch SAML
> assertions ?

If the premise is the client isn't secure than you have to assume anything that passes through it is fair game. XSS also presumes one can infect the server, which means by definition they've got your session cookies too, and we're back to IP address as the controlling factor.

That is the only real protection, since it shores up the bearer issue, and since nobody wants to accept that the client address matters anymore, that doesn't leave much. Obviously what we need are token bindings to TLS to shore up the cookies and tokens but Google killed that.

-- Scott

More information about the users mailing list