ADFS, SharePoint, and InCommon?

THIA Jean-Marie jean-marie.thia at upmc.fr
Fri Nov 9 11:25:36 EST 2012 

I looked at the metadata after may mail... this point is easy : no process of the metadata file and a line in the log.
I might take more time to handle the signature part.  
________________________________________
De : users-bounces at shibboleth.net [users-bounces at shibboleth.net] de la part de Peter Schober [peter.schober at univie.ac.at]
Date d'envoi : vendredi 9 novembre 2012 08:12
À : users at shibboleth.net
Objet : Re: ADFS, SharePoint, and InCommon?

* THIA Jean-Marie <jean-marie.thia at upmc.fr> [2012-11-09 00:47]:
> I am not sure to fully understand what you mean with signature
> verification.

In the most common trust model today any security and trustworthyness
of supplied metadata comes from a cryptographic signature (using
XMLsig) inside the metadata. Without verifying that against a signing
key (e.g. obtained securely OOB or involving PKIX), you're susceptible
to manipulated metadata, which could mean changed encryption keys,
protocol endpoints and required attributes.

> It is easy to check validUntil attribute, but was should be done then...
> Remove, disable the IdP ?

If validUntil for an EntitiesDescriptor is in the past, yes.
It's not about one ("the") IdP though, but all entities within that
EntitiesDescriptor.

> Anyway my intention with the script is that it had to be update to
> each user needs. So I made it very simple.

Not to be criticizing here, but to me that sounds very much like:
I've left implementing security to the deployer. (Which is fine, since
you're free to do or leave out whatever you want, of course!)
I'm just not sure that is going to happen then, as the deployer will
very likely know less about these things as the author.

FEMMA has the exact same problems, IIRC, but by using pysaml2 with it
(as Roland Hedberg had shown was rather simple) you gain the power of
correct and secure metadata handling. But AFAIK this has not been
picked up by the author of FEMMA (or anyone else, for that matter).
-peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list