>>>>> "Luke" == Luke Howard <[log in to unmask]> writes:
Luke> But cryptographically the trust flows through the AAA chain,
Luke> doesn't it? Or are people deploying Moonshot with explicitly
Luke> signed SAML assertions? Who verifies these?
So, the first assertion--the one from the IDP--flows through the AAA
chain.
However, the second assertion--from the group IDP--is something we
expect the RP to be configured to retrieve directly from the group IDP
and to check the signature.
--Sam
|