[jboss-user] [Security & JAAS/JBoss] - Re: How is JBoss SSO SAML token been validated?

alllle do-not-reply at jboss.com
Wed Jul 16 18:56:03 EDT 2008

When thinking about it, it occurs to me that the "referer" does not seem to be a reliable way of determine the issuing site.

1. The "Referer" site might not be the original issuer of the token, when more than 2 sites are participating in the SSO.

2. If integrate with 3rd party application / platform, it may not look at the "Referer" header at all.

3. It will be difficult to support SSO for programmatic access of remote services like SOAP or REST. 

It seems to me that including the issuer URL in the token does not impose security risks, as the validation of the token is still done by the original issuer. And doing so makes the SAML token contains sufficient to perform validation instead of relying on additional "meta" data like referer header.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4164875#4164875

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4164875

More information about the jboss-user mailing list