Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using SAML and https or http

Tags:

http

https

saml

I am working on an service which provides authentication service using SAML SSO protocol for communication security.

Brief Intro :- SAML SSO recognizes Identity Provider (IP or IDP) and Service Provider, which “trusts” and delegates user authentication to IDP. Here is how trust is established: 1. Service Provider (SP): - trusted IDP name and certificate - single sign on (SSO) URL 2. Identity Provider (IDP): - relying SP name and certificate - SSO consumer URL Whenever SP needs to authenticate user, it redirects it to SSO endpoint and passes SAMLRequest wither in query string or form field (GET or POST method).

What I would like to know is that is it a requirement that the client who requires authentication should be sending request through "https" protocol or the request can also be relayed across using http channel. I am just asking is the SAML protocol mandates us to use https or not

like image 402
Asif Avatar asked Oct 22 '15 13:10

Asif


People also ask

Does SAML work for HTTP?

Protocol. SAML supports hypertext transfer protocol secure (HTTPS) and simple object access protocol (SOAP). The SAML connectors use HTTPS to create a secure connection between the IdP and the federated applications.

Does SAML use SSL?

The SAML Authorization over SSL mechanism attaches an authorization token to the message. SSL is used for confidentiality protection. In this mechanism, the SAML token is expected to carry some authorization information about an end user.

What protocol does SAML use?

SAML is an XML-based authentication protocol in which Identity Providers (IdP) -- entities that manage and store user credentials -- exchange digitally signed XML documents (SAML Assertions) allowing an end-user to access a Service Provider (SP), such as the collection of apps that you use every day at work or a web ...

What is the difference between SAML and SSL?

For SSL, the certificate file is used to encrypt traffic. For SAML, the certificate is used for authentication.


2 Answers

SAML does not require the use of HTTPS. But you should protect your messages in some way. This might be by using XML signature/encryption, HTTPS or some other way. HTTPS will probably be the easiest way to implement this.

like image 177
Stefan Rasmusson Avatar answered Nov 15 '22 10:11

Stefan Rasmusson


SAML does not REQUIRE the use of HTTPS, but it is RECOMMENDED.

It's an authentication mechanism (even if we're only talking the AuthnRequest), so my question back would be why wouldn't you use HTTPS?

like image 30
Andrew K. Avatar answered Nov 15 '22 10:11

Andrew K.