How does the relying party trust what is being asserted to it? In addition, what prevents a “man-in-the-middle” attack that might grab assertions to be illicitly “replayed” at a later date? These and many more security considerations are discussed in detail in the SAML Security and Privacy Considerations specification [SAMLSec].

SAML allows for message integrity by supporting XML digital signatures in request/response messages.

SAML suports public key exchange either out of band or included in request/response messages.

If additional message privacy is needed, SAML supports sending request/response messages over SSL 3.0 or TLS 1.0. There are other security features that should be covered here such as the security levels of the different bindings, and the fact that both the IDP and SP can create opaque handles to represent the user’s account for privacy issues but this would take alot of energy and time to cover…

[ Security Assertions and Protocol Digest here ]

docs.oasis-open.org

This entry was posted on Monday, February 11th, 2008 at 11:14 am and is filed under iGoogle/SAML. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.