Private:Catalyst Interop 2007 Oracle RP
Last Update: 28 May, 2007
Oracle RP site uses a sample "photo sharing" application called Oracle PhotoShare. This application requires user login using an information card. Initially, when an unauthenticated user acceses the application main page, the user is redirected to the relying party login page. The user will be presented with an opportunity to login using an information card or login using a username and password.
|Policy Endpoint:||Embedded in HTML|
|Issue Description||Found By||Solution Notes|
|Should there be a common requiredClaims set supported by all IdPs||Ramana Turlapati||The least common set of required claims that the published RP's have are: ppid and email. However managed cards of certain IdPs (such as STS Live, HumanPresent etc) do not support any of standard claims with the exception of ppid. It appears RP's are forced to handle tokens from STS Live IdP differently from rest of the IdPs|
|RP security best practices for Token & Claims Validation||Ramana Turlapati||This issue is related to validation of the token that is posted to RP. The question is what are the set of checks that a RP needs to perform. In other words, what is a minimum set of verifications that a RP needs to perform in order to make the use case provably secure - The following list is an attempt to come up with such a set of recommended practices for RPs.
|What is right TokenType value?||Ramana Turlapati||Some IdPs are using "urn:oasis:names:tc:SAML:1.0:assertion" and some use "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" and some support both. what is the right value for TokenType?|
Planned Features & Status
Notes on public reference
|Technical Contact||Marketing Contact|
|Contact Name:||Uppili Srinivasan|