[cap-talk] forging SAML security assertions in Zebra Copy
Karp, Alan H
alan.karp at hp.com
Mon Feb 23 13:26:00 EST 2009
John Carlson wrote:
>
> Are SAML security assertions unforgeable in the Zebra Copy example?
> Say I wanted to use a type of database query language in the
> authorization assertion.
>
Yes. Each assertion is signed by the delegator, and the SOAP message is signed by the user of the assertion. These signatures are checked before accepting an authorization. I don't understand what you mean by using a query language in the assertion.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list