Re: [higgins-dev] How to determine, as an RP, security token procedence

[John Bradley <ve7jtb@xxxxxxxxxx>]

You look at the issuer/entityID in the SAML token if it is a SAML token.

How you trust the issuer is a bit more complicated.  It depends on how  
the white list is constructed.

For the GSA the whitelist contains the signing certificates and LoA  
for each issuer.

Depending on the issuer they may not be sending a certificate, only  
the RSA public key.

If you try and use the key directly things will break the first time  
the IdP renews there certificate.

John B.
On 2009-09-23, at 9:54 AM, David Campos wrote:

> Hello all,
>
> I know that maybe this is not an iCard normal scenario, since RP  
> should not know anything about who made the token but... there is  
> any way that could allow RP to know that a token comes from a  
> trusted IdP? I guess that it should exist any way to do it because  
> depending of the procedence the token may be more or less trustable...
>
> I don't think that this has something to do with appliesTo, since  
> that parameter will send IdP certificate through the net and this  
> would trash almost all anonymity between RP and IdP. I would like a  
> method to know that the token is reliable and not to know directly  
> who issued it.
>
> Thanks for any help you can give me :)
>
> Regards,
> ---
> David Campos
> Safelayer Secure Communications
> DMAG UPC Researcher
> _______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/higgins-dev