SAML2 Artifact Resolution (not Attribute Query)

Cantor, Scott cantor.2 at
Wed Nov 7 10:27:30 EST 2012

I changed the subject so this isn't misinterpreted in the archive.

On 11/7/12 10:12 AM, "Mike Wiseman" <mike.wiseman at> wrote:
>Hmm, ok I will do some testing. But from a survey of the users list
>(including Ian's response), TLS client authentication (whether on a
>separate port or on 443 per URL) seems to be embraced even with the
>implementation problems. I read the OASIS security doc which is not
>prescriptive on this issue. Any other opinions on whether SAML response
>and/or assertion message signing for the AttributeQuery profile is
>sufficient authentication?

It's probably sufficient, but this is very complex territory to get into.
Without encryption, and without actual trust in the server cert or
transport authn, do you have real confidentiality? Not so much. So that
adds encryption perhaps, with the caveat that XML Encryption is well
broken these days.

And with no MITM protection from TLS, you have to rely on the short life
of the messages.

There are tons of variables here. An SP refusing to do the back channel
port may well not support ignoring your front-channel cert, so now you
have that mess to deal with and maintain. And if they do ignore it, then
they are accepting the risk of the MITM being there, which is bad for them.

There's a reason we use separate ports, regardless of the other variables.
Having done so, it makes using TLS authn much simpler to deal with than
signing and much easier to understand the threat models with.

-- Scott

More information about the users mailing list