I am wondering whether there are any major security concerns with providing metadata for SAML configuration on a public URL versus providing the IdP or SP with a metadata file. The metadata includes a public key for encryption.
If there are any security concerns what are they?
SAML metadata is an XML document which contains information necessary for interaction with SAML-enabled identity or service providers. The document contains e.g. URLs of endpoints, information about supported bindings, identifiers and public keys.
SAML metadata is configuration data required to automatically negotiate agreements between system entities, comprising identifiers, binding support and endpoints, certificates, keys, cryptographic capabilities and security and privacy policies.
SAML implements a secure method of passing user authentications and authorizations between the identity provider and service providers. When a user logs into a SAML enabled application, the service provider requests authorization from the appropriate identity provider.
SAML works by exchanging user information, such as logins, authentication state, identifiers, and other relevant attributes between the identity and service provider. As a result, it simplifies and secures the authentication process as the user only needs to log in once with a single set of authentication credentials.
No, there are no security concerns in providing the metadata as a public resource.
Public keys will usually be provided in the metadata for verifying the signature (with the public key, the service provider - consumer - can verify that the SAML response sent by the identity provider has not been tampered with).
For encryption (optional in SAML), the service provider will need to send its public key to the identity provider. With the public key, the identity provider will be able to encrypt the response and only the service provider (with the private key) will be able to decrypt it.
It depends on security requirements of your organization.
If your organization doesn't want to protect public key material, then you can publish, allow unlimited and unauthenticated access to SAML metadata.
If your organization want to protect public key material, then protect the SAML metadata against unlimited and unauthenticated access.
As per Public Key Cryptography, public keys are meant to be freely shared between parties, but in this context, your organization's security team have to decide whether the public key material should be made available to intended party only or publicly available to all.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With