OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Query regarding SAML specification and SSL


When using SAML Browser/POST profile (1.1/2.0), is it a MUST to use "SSL" over HTTP for ALL concerned URLs as per SAML specifications? i.e. ITS, ACS MUST use HTTPS OR is it ok to use just HTTP?

As per 1.1/2.0 specifications, using SSL over HTTP is OPTIONAL and only "reommended" (not "mandated") when "message integrity", "confidentiality" is required and man-in-the-middle attack is to be avoided.

As per the SAML 1.1 OASIS specification at http://www.oasis-open.org/committees/download.php/3405/oasis-sstc-saml-bindings-1.1.pdf:
---------------------------- MITM Attack
Threat: Since the destination site obtains bearer SAML assertions from the user by means of an HTML
form, a malicious site could impersonate the user at some new destination site. The new destination site
would believe the malicious site to be the subject of the assertion.
Countermeasure: The destination site MUST check the Recipient attribute of the SAML response to
ensure that its value matches the
https:// consumer host name and path>. As the
response is digitally signed, the Recipient value cannot be altered by the malicious site.


If I have a hardware SSL accelerator front ending my application server, then the traffic from SSL accelerator to application server will be non-SSL. Thus I do not want the "https://" check mentioned above in such a environment. So the above point in the specification is not valid for such a environment. Please let me know if my understanding is correct.

I just want to get this clarified from "SAML specifications" perspective as to whether use of HTTPS is a MUST when using SAML or not? Please answer.

Thanks for your help. (If this is not the correct forum for this question, please guide me to correct forum where I can get answer to this question).



Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]