Allow endpoints to authenticate IDP reply
Let me try to clarify the idea.
- you visit protected endpoint. Endpoint creates a session the way it usually does. This needs to be tamper resistant (for example signed or content on the server, only session_id in the cookie). In this session it stores a nonce. It also adds the nonce to the redirect url.
- Idp extracts the nonce from the url and includes it in the ticket. (pretty much like service param now)
- Protected Endpoint compares the nonce in the ticket (request url) to the one in the session (request cookie).
In an attempt to take over the targets account an attacker can maybe figure out the nonce from the redirect url in 3). But since the session is tamper resistant they cannot set their own nonce. The only way to do that would be to steal the cookie from the target - but if they can do that they can take over their session anyway.
In an attempt to log the other user into their own account they would have to set a cookie in the targets browser that maps to a session with a matching nonce. If they can seed cookies in the targets browser they can inject a session anyway.