Regardless of the SAML binding used, the service provider MUST do the following:
Verify that the InResponseTo attribute in the bearer
equals the ID
of its original
Oh, well actually I guess that couldn't be argued.....
To Kim's credit, he places blame where it belongs.
My favourite line from the paper outlining the flaw in Google's implementation:
The protocol discussed above results from a considerable
effort we put into a careful scrutiny and interpretation of
the modular and open, but informal and bulky SAML 2.0
I have some ideas for 'simplifying' the rail gauge standard. Off I go with my crowbar for some experiments on a local track.