Bearer Method Risky?
•In the Web Browser SSO profile the Assertion that the Identity Provider creates must have a
SubjectConfirmation element with
a Method attribute whose value is: urn:oasis:names:tc:SAML:2.0:cm:bearer
•The bearer Method means that the SP should accept the bearer of the Assertion as the subject. Is this risky?
•Answer: it is considered to be within acceptable risks provided the bearer of the Assertion presents it within
the timeframe indicated by
NotOnOrAfter.