Bad Guy Steals (Intercepts) an Assertion
from an IdP
•Suppose that an IdP sends out an Authentication Assertion (as a Response to a Request) and a Bad Guy steals (intercepts) it.
•The Bad Guy could present himself* to a SP, with Authentication papers in hand.
•How does the SP determine that the Authentication Assertion does not apply to the presenter (the Bad Guy)? The answer
is on the next slide ……………
*
Typically the Bad Guy wouldn't directly interact with the SP. Rather, his browser interacts with the SP on behalf of the Bad Guy.