Timing of Realm/RP validation

Allen Tom atom at yahoo-inc.com
Wed Jan 20 21:38:10 UTC 2010


Hi Hubert - 

RP Realm verification should be done by the OP before returning the
assertion to the RP. Depending on the OP's security policies, the OP may
want to warn the user, or even block the request if the return_to for the
realm can't be verified.

It might makes sense for the OP to verify the realm prior to authenticating
the user, since it makes sense to detect the realm mismatch as early in the
request lifecycle as possible. For instance - the OP could display a warning
or error to the user before the user even logs in to the OP.

In Yahoo's case, we do the verification and cache the result so that it can
be reused for multiple requests. As Andrew mentioned, we cache the result
for an hour. We have seen some issues with data freshness when RPs change
their return_to URLs.

Thanks
Allen



On 1/15/10 5:33 PM, "Andrew Arnott" <andrewarnott at gmail.com> wrote:

> Ya, you're free to do RP verification before or after authentication.
> In fact some major OPs like Yahoo cache the results for 1 hour and
> thus don't actually perform RP verification most times at all (if it's
> in their cache)
> 
> On Friday, January 15, 2010, Hubert Le Van Gong
> <Hubert.Levangong at sun.com> wrote:
>> Greetings,
>> Is it correct to say the spec (2.0) does not mandate a specific momentin the
>> protocol at which the RP/realm validation should occur?For instance, the OP
>> could first authenticate the user and thenperform RP verification or it could
>> do that validation before authenticatingthe user. Although the latter seems
>> more intuitive (and efficient) would bothbe compliant?
>> Cheers,Hubert
>> 
>> 
>>  --Hubert A. Le Van GongIdentity ArchitectSun microsystems, Inc.
>> 
>> 17 Rue DupreyGrenoble, 38000France
>> --------------------------------------------------email: hubert.levangong at sun
>> .COMtel:+33 4 7663 0935blog: http://blog.levangong.com/
>> N 45  11.900'W 005  44.145'Elev. 736 ft.
>> 
>> 



More information about the specs mailing list