(1) in the portal, I set returnURL=www.mit.edu, the argument list of BRM6 ( wa[BLOB] &
wctx[BLOB] ) was indeed posted to www.mit.edu, so the returnURL was not checked against the realm.
(2) "localhost" is not treated as a special realm. If we do two ACS authentications from two client machines, the ACS service doesn't seem to know that "localhost" in
different messages may refer to two different physical machines. This may not be an interesting fact though.
(3) When receiving BRM5, how does ACS ensure that the Google ID data is about a user trying to sign into localhost? Can I do the following: I set up bob.com, trick Alice to
access it, copy the argument values of BRM5. Then I use my own browser to post the stolen values to the target name space (in the example, shuo-acs.accesscontrol.windows.net) as BRM5 does.
Edited bycs0317OwnerWednesday, May 02, 2012 12:32 AM....