Monday, September 15, 2008

To be fair to Google

it could be argued that the SAML Web Brwoser SSO profile isn't sufficiently clear on the processing of the InResponseTo attribute
Regardless of the SAML binding used, the service provider MUST do the following:

Verify that the InResponseTo attribute in the bearer equals the ID
of its original message,

Oh, well actually I guess that couldn't be argued.....

To Kim's credit, he places blame where it belongs.

My favourite line from the paper outlining the flaw in Google's implementation:
The protocol discussed above results from a considerable
e ffort we put into a careful scrutiny and interpretation of
the modular and open, but informal and bulky SAML 2.0
specifications.

I have some ideas for 'simplifying' the rail gauge standard. Off I go with my crowbar for some experiments on a local track.

No comments: