Figure 4-4 provides an example
of a decrypted SAML token.
To decrypt the
token, the site must
have access to the
SSL private key
Figure 4-4 An example of a decrypted SAML token
Using CardSpace in the Browser 241
Token Integrity
It is of extreme importance that a website can verify that a token
came from a speci?¬?c IP. The trust that a website can have about
the information in a token hinges on the capability to verify that
the token comes from a trusted party and has not been modi?¬?ed.
This is accomplished by verifying the signature on the token. This
provides a cryptographically secure integrity check, which ensures
that the token contains the data as intended by the signing
party. Also, because the signing is done with a private key, the
website can use the public key to identify the signer. Solutions for
managing the keys are left for Chapter 6, ???Identity Consumers,???
but simply put, as long as the website can use the public key to
identify a party, it can be sure which party generated the token.
Token Validation
Token validation can take many forms, and the form depends on
the type of token. Because SAML tokens are commonly generated
by CardSpace, they are used to illustrate some of the validation
that can be done.
Pages:
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365