On 20/04/2013, at 9:12 PM, "Cantor, Scott" <[log in to unmask]> wrote:
> On 4/20/13 9:16 AM, "Sam Hartman" <[log in to unmask]> wrote:
>
>>>>>>> "Luke" == Luke Howard <[log in to unmask]> writes:
>>
>>
>> Luke> But cryptographically the trust flows through the AAA chain,
>> Luke> doesn't it? Or are people deploying Moonshot with explicitly
>> Luke> signed SAML assertions? Who verifies these?
>>
>> So, the first assertion--the one from the IDP--flows through the AAA
>> chain.
>> However, the second assertion--from the group IDP--is something we
>> expect the RP to be configured to retrieve directly from the group IDP
>> and to check the signature.
>
> Typically not signed, it's normally just mutual TLS. Can be signed, but
> the evaluation against metadata is identical whether it's TLS or
> signatures.
Is the assertion channel bound to the TLS session or certificate?
-- Luke
|