OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] Query regarding SAML specification and SSL


Darshan Karandikar wrote on 2009-07-31:
> When using SAML Browser/POST profile (1.1/2.0), is it a MUST to use "SSL"
> over HTTP for ALL concerned URLs as per SAML specifications? i.e. ITS, ACS
> MUST use HTTPS OR is it ok to use just HTTP?

Nobody can enforce requirements like that. Only common sense can force
people to do sensible things. Of course, today's not the day to be arguing
the importance of SSL, I suppose.

> If I have a hardware SSL accelerator front ending my application server,
> then the traffic from SSL accelerator to application server will be
non-SSL.
> Thus I do not want the "https://"; check mentioned above in such a
> environment. So the above point in the specification is not valid for such
a
> environment. Please let me know if my understanding is correct.

No, it's not. When you offload SSL, you've virtualized the web server. It's
your job to configure the web server for that, and SAML implementations
running on that server should be able to validate requests to https:// URLs
because the server will virtualize the incoming scheme and port for them.

-- Scott




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]