RE: [saml-dev] Query regarding SAML specification and SSL

[Darshan Karandikar <darshan.karandikar@tcs.com>]

Thanks Scott. 

"No, it's
not. When you offload SSL, you've virtualized the web server. It's
your job to configure the web server for that, and SAML implementations
running on that server should be able to validate requests to https://
URLs
because the server will virtualize the incoming scheme and port for them."

[Darshan]: Are you saying that the web
server should ensure that the scheme and port in HTTP request header "stays"
as "SSL" even though the actual scheme when the request reaches
web server in the stated environment is HTTP (since SSL accelerator has
done the SSL processing and forwarded the HTTP request to web server).
And if this is done on web server, then
what's the point in validating "https://" in SAML implementation
when we know the incoming request is always going to carry "https://"
because the web server itself is going to set the request scheme to "SSL"
for every incoming request. I feel it will be more logical to leave the
SAML implementation "configurable" to select either "http://"
or "https://" check (instead of enforcing "https://"
check always) based on the environment under consideration. The SAML administrator
has to be clever enough to select whichever option that is good enough
to ensure prevention of MITM attack in given environment.

Please let me know your thoughts.

Regards,

Darshan

"Scott Cantor" <cantor.2@osu.edu>

07/31/2009 09:50 PM

To	"'Darshan Karandikar'" <darshan.karandikar@tcs.com>, <saml-dev@lists.oasis-open.org>
cc
Subject	RE: [saml-dev] Query regarding SAML specification and SSL

Darshan Karandikar wrote on 2009-07-31:
> When using SAML Browser/POST profile (1.1/2.0), is it a MUST to use
"SSL"
> over HTTP for ALL concerned URLs as per SAML specifications? i.e.
ITS, ACS
> MUST use HTTPS OR is it ok to use just HTTP?

Nobody can enforce requirements like that. Only common sense can force
people to do sensible things. Of course, today's not the day to be arguing
the importance of SSL, I suppose.

> If I have a hardware SSL accelerator front ending my application server,
> then the traffic from SSL accelerator to application server will be
non-SSL.
> Thus I do not want the "https://" check mentioned above
in such a
> environment. So the above point in the specification is not valid
for such
a
> environment. Please let me know if my understanding is correct.

No, it's not. When you offload SSL, you've virtualized the web server.
It's
your job to configure the web server for that, and SAML implementations
running on that server should be able to validate requests to https://
URLs
because the server will virtualize the incoming scheme and port for them.

-- Scott



---------------------------------------------------------------------
To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org


ForwardSourceID:NT000148B2
   
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you