I thought I would throw in my 2 cents since the original discussion thread was deleted from the wrong space rather than moving it here. As I wrote earlier, you are trying to accomplish something that SAML already provides. The only way to fight man in the middle attacks is to make sure that every request is properly authenticated. For a reference scenario based on SAML and RSA SecurID, see this document.
↧