Latest Tweets:
The updated version of SP-800-63-1 is official as of Dec 2011. The FICAM SAML 2.0 Web SSO Profile has been updated to reflect some clarifications. The major change is that SAML assertions using the POST binding are no longer required to be encrypted, as long as all of the endpoints are using TLS. The relevant section 9.2.1 from SP-800-63-1 Secondary authenticator capture – To mitigate this threat, adequate protections shall be in place throughout the lifetime of any secondary authenticators used in the assertion protocol.
In order to protect the secondary authenticator while it is in transit between the Verifier and the Subscriber, the secondary authenticator shall be sent via a protected session established during the primary authentication of the Subscriber using his or her token. This requirement is the same as the requirement in Section 8, regarding the Authentication Process, to protect sensitive data (in this case the secondary authenticator) from session hijacking attacks.
In order to protect the secondary authenticator from capture as it is submitted to the RP, the secondary authenticator shall be used in an authentication protocol which protects against eavesdropping and man-in- the-middle attacks as described in Section 8.
