We are trying to do SSO between sharepoint and JBOSS through SAML, we were able to get the SAML1.1 Assertion  issued to shaprepoint, and passed to JBOSS, and the JBOSS will accept it and allow the user to access.

But during the test, we found the following issues:

1. the SAML Assertion will never expire, even though it is present.

2. it will not check the signature

3. if I present the SAML Assertion to another SP which is NOT configured with the same IPD where the Assertion is coming from, the SP will still accept it.

This behavior is in both Picketlink 2.1.6 and 2.7.cr2.

when testing with SAML 2.0 token, the behavior is different

1. it will check expiration time

2. it will validate the signature.

this looks like a big security hole when working with SAML 1.1.

thanks

Kevin