- edited description
Basic - 7.5. Assertion Substitution
Issue #142
resolved
I think that * OP must check client_id and redirect_url to return assertions to proper RP. * RP is recommended to use state or/and UA session cookie to bind returned assertions to proper authz request.
Comments (4)
-
reporter -
-
assigned issue to
Assertion substitution in SP-800-63 has to do with reordering packets on the wire to attack SOAP etc.
I will look at this again.
-
assigned issue to
-
reporter Thank you very much for you information.
-
- changed status to resolved
- Log in to comment