the saml2p:Scoping block in authn requests

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

the saml2p:Scoping block in authn requests

Wessel, Keith William
Hi, all,

Is there any risk of building an authn request that doesn't include the <saml2p:Scoping> block? We're creating a lightweight script that performs an ECP authentication against our IdP and sends the response to Amazon to generate command-line and AWS API access tokens. Our developer was asking about some simplifications to the code, and this was the one I couldn't answer.

It seems that the IdP will accept a request without this block. I assume it's optional, and the only thing it ensures if it's included and contains an IdP entityID is that the IdP won't respond to it if its entityID isn't listed. But if the receiving SP is checking the issuer of the response, that security check ishappening later, anyway.

Am I missing something?

Thanks,
Keith

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: the saml2p:Scoping block in authn requests

Cantor, Scott E.
> Is there any risk of building an authn request that doesn't include the
> <saml2p:Scoping> block?

Nobody really uses Scoping, what makes you think it's normal to use it?

> It seems that the IdP will accept a request without this block. I assume it's
> optional, and the only thing it ensures if it's included and contains an IdP
> entityID is that the IdP won't respond to it if its entityID isn't listed. But if the
> receiving SP is checking the issuer of the response, that security check
> ishappening later, anyway.

Scoping is for proxying. It supposedly controls where the IdP will proxy a request back to. An SP setting it that doesn't rely on a single IdP proxy doesn't have any idea what it's doing.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: the saml2p:Scoping block in authn requests

Wessel, Keith William
I didn't say I thought it was normal; it was just in the ECP excerpt that we started with, and at this point, I can't remember where we even started. Makes me think we should pass through the rest of the authn request to make sure we don't have other unneeded elements.

Thanks, Scott, that's exactly what I needed to know.

Keith


-----Original Message-----
From: dev <[hidden email]> On Behalf Of Cantor, Scott
Sent: Wednesday, April 4, 2018 4:01 PM
To: Shib Dev <[hidden email]>
Subject: RE: the saml2p:Scoping block in authn requests

> Is there any risk of building an authn request that doesn't include
> the <saml2p:Scoping> block?

Nobody really uses Scoping, what makes you think it's normal to use it?

> It seems that the IdP will accept a request without this block. I
> assume it's optional, and the only thing it ensures if it's included
> and contains an IdP entityID is that the IdP won't respond to it if
> its entityID isn't listed. But if the receiving SP is checking the
> issuer of the response, that security check ishappening later, anyway.

Scoping is for proxying. It supposedly controls where the IdP will proxy a request back to. An SP setting it that doesn't rely on a single IdP proxy doesn't have any idea what it's doing.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: the saml2p:Scoping block in authn requests

Cantor, Scott E.
> I didn't say I thought it was normal; it was just in the ECP excerpt that we
> started with, and at this point, I can't remember where we even started.

I think the SP might include it because Scoping has an obscure ability to include the name of an IdP so a client UI could display it. In that scenario, it's not inside the AuthnRequest, it's in a SOAP header for the client to read.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: the saml2p:Scoping block in authn requests

Cantor, Scott E.
> > I didn't say I thought it was normal; it was just in the ECP excerpt
> > that we started with, and at this point, I can't remember where we even
> started.
>
> I think the SP might include it because Scoping has an obscure ability to
> include the name of an IdP so a client UI could display it. In that scenario, it's
> not inside the AuthnRequest, it's in a SOAP header for the client to read.

Hmm, no, you're right. The SP does include that inside the request. I have no idea why, it was not well thought out and serves no purpose there. Sorry for the confusion.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]