Scott Cantor wrote on 8/25/2004, 2:29 PM:
So here's how it's an issue:
<SubjectConfirmationData Recipient="URL submitted by bad provider">
Ahh... makes more sense now. I thought the Recipient would have a
ProviderID in it, not the URL that the response was sent to.
I'm not sure we want the URL in there in cases where this assertion
isn't being used on an browser based SSO transaction. Need to
think about this some more.