Addition to above, the main problem in this scenario is, When you figure out SP issuer ID is duplicate and if you delete one of those SP belong to one user, it will delete the issuer id and the assertion consumer url of the other SP as well which can cause an issue that can hide the actual root cause.
On Thu, Nov 30, 2017 at 8:22 AM, Ushani Balasooriya <[email protected]> wrote: > Hi IAM team, > > Please consider the below scenario. > > When I think of a system as an admin and developer personas in a same > tenant, > > 1. Admin registers a service provider as *travelocity* with issuer id as > *travelocity.com > <http://travelocity.com>* and assertion consumer url as > http://localhost:8080/travelocity.com/home.jsp and configure Federated > IDP as Google > > 2. Then developer persona registers a service provider as *travelocity.com > <http://travelocity.com>* with same issuer id as *travelocity.com > <http://travelocity.com>* and assertion consumer url as > http://localhost:8080/travelocity.com/home.jsp since it does not validate > issuer id and configure federated IDP as facebook. > > In this scenario, only the *service provider name* will be *validated* > and *issuer id* will *not be validated.* > > Therefore when we try to access service provider, it will federate only > through google. > > This is a very rare negative use case, but when you think of different > personas, I think this should be considered. > > Please correct me if I am wrong. > > Thanks, > -- > *Ushani Balasooriya* > Associate Technical Lead - EE; > WSO2 Inc; http://www.wso2.com/. > Mobile; +94772636796 > > -- *Ushani Balasooriya* Associate Technical Lead - EE; WSO2 Inc; http://www.wso2.com/. Mobile; +94772636796
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
