Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security concerns with providing SAML metadata on public URL

Tags:

saml

saml-2.0

I am wondering whether there are any major security concerns with providing metadata for SAML configuration on a public URL versus providing the IdP or SP with a metadata file. The metadata includes a public key for encryption.

If there are any security concerns what are they?

like image 433
nhyne Avatar asked Aug 15 '16 20:08

nhyne


People also ask

What is SAML metadata URL?

SAML metadata is an XML document which contains information necessary for interaction with SAML-enabled identity or service providers. The document contains e.g. URLs of endpoints, information about supported bindings, identifiers and public keys.

What is SAML metadata used for?

SAML metadata is configuration data required to automatically negotiate agreements between system entities, comprising identifiers, binding support and endpoints, certificates, keys, cryptographic capabilities and security and privacy policies.

Is SAML secure?

SAML implements a secure method of passing user authentications and authorizations between the identity provider and service providers. When a user logs into a SAML enabled application, the service provider requests authorization from the appropriate identity provider.

What makes SAML secure?

SAML works by exchanging user information, such as logins, authentication state, identifiers, and other relevant attributes between the identity and service provider. As a result, it simplifies and secures the authentication process as the user only needs to log in once with a single set of authentication credentials.


2 Answers

No, there are no security concerns in providing the metadata as a public resource.

Public keys will usually be provided in the metadata for verifying the signature (with the public key, the service provider - consumer - can verify that the SAML response sent by the identity provider has not been tampered with).

For encryption (optional in SAML), the service provider will need to send its public key to the identity provider. With the public key, the identity provider will be able to encrypt the response and only the service provider (with the private key) will be able to decrypt it.

like image 151
Nico Sabena Avatar answered Oct 21 '22 21:10

Nico Sabena


It depends on security requirements of your organization.

  • If your organization doesn't want to protect public key material, then you can publish, allow unlimited and unauthenticated access to SAML metadata.

  • If your organization want to protect public key material, then protect the SAML metadata against unlimited and unauthenticated access.

As per Public Key Cryptography, public keys are meant to be freely shared between parties, but in this context, your organization's security team have to decide whether the public key material should be made available to intended party only or publicly available to all.

like image 34
Zeigeist Avatar answered Oct 21 '22 22:10

Zeigeist