SAML2 Attribute Query

Mike Wiseman mike.wiseman at
Wed Nov 7 10:12:28 EST 2012

> As far as the port issue, it's not impossible to
> use 443, but that depends on the software involved, how client cert configuration is
> done. Limiting client authentication to specific URLs requires TLS renegotiation,
> which has a lot of technical issues associated with it from security flaws in recent
> years. I don't even pretend to know the state of all that.
> The IdP itself knows nothing about it. It just expects client authn to be there for
> requests to the resolution profile handler and if they're not (and the request isn't
> signed as a substitute), it will reject it.
> Generally when you use the front channel port for this, one does message signing
> instead of client TLS.
> -- Scott

Hmm, ok I will do some testing. But from a survey of the users list (including Ian's response), TLS client authentication (whether on a separate port or on 443 per URL) seems to be embraced even with the implementation problems. I read the OASIS security doc which is not prescriptive on this issue. Any other opinions on whether SAML response and/or assertion message signing for the AttributeQuery profile is sufficient authentication?



Mike Wiseman
Manager, Information Security
Information + Technology Services
University of Toronto


More information about the users mailing list