Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using SAML and https or http

Tags:

http

https

saml

I am working on an service which provides authentication service using SAML SSO protocol for communication security.

Brief Intro :- SAML SSO recognizes Identity Provider (IP or IDP) and Service Provider, which “trusts” and delegates user authentication to IDP. Here is how trust is established: 1. Service Provider (SP): - trusted IDP name and certificate - single sign on (SSO) URL 2. Identity Provider (IDP): - relying SP name and certificate - SSO consumer URL Whenever SP needs to authenticate user, it redirects it to SSO endpoint and passes SAMLRequest wither in query string or form field (GET or POST method).

What I would like to know is that is it a requirement that the client who requires authentication should be sending request through "https" protocol or the request can also be relayed across using http channel. I am just asking is the SAML protocol mandates us to use https or not

like image 402
Asif Avatar asked Oct 22 '15 13:10

Asif

People also ask

Does SAML work for HTTP?

Protocol. SAML supports hypertext transfer protocol secure (HTTPS) and simple object access protocol (SOAP). The SAML connectors use HTTPS to create a secure connection between the IdP and the federated applications.

Does SAML use SSL?

The SAML Authorization over SSL mechanism attaches an authorization token to the message. SSL is used for confidentiality protection. In this mechanism, the SAML token is expected to carry some authorization information about an end user.

What protocol does SAML use?

SAML is an XML-based authentication protocol in which Identity Providers (IdP) -- entities that manage and store user credentials -- exchange digitally signed XML documents (SAML Assertions) allowing an end-user to access a Service Provider (SP), such as the collection of apps that you use every day at work or a web ...

What is the difference between SAML and SSL?

For SSL, the certificate file is used to encrypt traffic. For SAML, the certificate is used for authentication.

2 Answers

SAML does not require the use of HTTPS. But you should protect your messages in some way. This might be by using XML signature/encryption, HTTPS or some other way. HTTPS will probably be the easiest way to implement this.

like image 177
Stefan Rasmusson Avatar answered Nov 15 '22 10:11

Stefan Rasmusson

SAML does not REQUIRE the use of HTTPS, but it is RECOMMENDED.

It's an authentication mechanism (even if we're only talking the AuthnRequest), so my question back would be why wouldn't you use HTTPS?

like image 30
Andrew K. Avatar answered Nov 15 '22 10:11

Andrew K.
Sign in to Comment

Related questions

How to cache static content (css, images,js files) in CakePHP2?
How to remove 'Authorization: Basic username:password' header from browser
HTTP: Why do you need to specify hostname?
Simple Http alternative for Wireshark
Simple *nix tool for listening to HTTP requests and logging the request data
Perl: Read web text file and "open" it
Read from basic stream (httpRequestStream)
Is it valid to return a body along with an Http 204 status?
How to get an HTTP POST request body as a Java String at the server side?
Negative Array Size Exception
What is the maximum length of referer? [duplicate]
Using telnet under windows to test HTTP
How can I convert numeric HTTP status code to its display name in javascript?
HTTP Content length less than File byte-size, did it fully download?
How do I add CORS headers on a per folder basis on IIS?
Apache HTTP client only two connections are possible
Why does my SOCKS proxy code throw SocketException: Malformed reply from SOCKS server?
How to send POST request through RestTemplate with custom parameter in header
HTTP Server Using Lua/ Torch7
Understanding the value of the header HTTP2-Settings used for http/2 requests and upgrade

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!