Développement #44
Add to the doc the basic necessity of SAML security
Start date:
21 May 2010
Due date:
% Done:
0%
Estimated time:
5:00 h
Patch proposed:
Planning:
Description
We can add lot of verification between request/response (that the ID match,
that the reponse is qualified toward the SP, etc....), but there will always be
thing we cannot verify inside Lasso, like the IP of the client (if the IdP add
it as a verification means to the AuthnResponse) or if the notBefore, notAfter
attribute are respected (we are not sure of the time at the SP).
We should explicitely mention all those things that the SP could and should
verify aroun SAML exchanges but that are not in the scope of Lasso. It should
eventually be a section of the documentation.