SAML2 Attribute Query
Mike Wiseman
mike.wiseman at utoronto.ca
Wed Nov 7 10:12:28 EST 2012
> As far as the port issue, it's not impossible to
> use 443, but that depends on the software involved, how client cert configuration is
> done. Limiting client authentication to specific URLs requires TLS renegotiation,
> which has a lot of technical issues associated with it from security flaws in recent
> years. I don't even pretend to know the state of all that.
>
> The IdP itself knows nothing about it. It just expects client authn to be there for
> requests to the resolution profile handler and if they're not (and the request isn't
> signed as a substitute), it will reject it.
>
> Generally when you use the front channel port for this, one does message signing
> instead of client TLS.
>
> -- Scott
>
Hmm, ok I will do some testing. But from a survey of the users list (including Ian's response), TLS client authentication (whether on a separate port or on 443 per URL) seems to be embraced even with the implementation problems. I read the OASIS security doc which is not prescriptive on this issue. Any other opinions on whether SAML response and/or assertion message signing for the AttributeQuery profile is sufficient authentication?
Thanks,
Mike
Mike Wiseman
Manager, Information Security
Information + Technology Services
University of Toronto
More information about the users
mailing list