What is the advice - meta data retrieval

Peter Schober peter.schober at univie.ac.at
Fri Apr 12 06:13:55 EDT 2019

* Lalith Jayaweera <ljayaweera at gmail.com> [2019-04-12 05:55]:
> However, only way they can access our IdP meta data is via a URL, no
> any other way.

What Rod said.

If they can validate xmldsig signatures on signed metadata *and*
you're prepared to regularly sign[1] your metadata for that SP to
consume then you "just" push the validUntil date on that metadata into
the future (say, 5-10 days) and re-sign and re-publish that metadata
every day to a URL of your choosing where the SP can fetch it from.

Failing either (or both) of those conditionals I'd suggest to the SP
to host the metadata on a URL of their own, i.e., on an internal,
trusted server of theirs. Maybe even a file:// URL would work.
Then you just send them updates (i.e., static snapshots of your
metadata) via email (or whatever) every couple of years and they
update the local file's content.

Failing that I'd probably arrange for a test with the SP to see how
their metadata consuming process reacts to incorrect TLS parameters on
HTTPS hosted metadata. If all tested TLS error conditions successfully
prevent the SP from ingesting the metadata that may be sufficient
(until they update some part of their software stack and this security
check is silently replaced with "nothing". Though to be fair that
would also be possible with xmldsig validation.)

Failing that -- no signature validation, no local file URLs, no
reliable TLS failures in error conditions -- use of SAML and exchange
of cryptographically secured protocol messages becomes somewhat of a
security theatre since the trust anchor (securing all those protocol
messages) is open to abuse:
By dyamically importing (and blindly trusting) cryptographic keys and
endpoints from a plain text file they automatically load over the
internet they open themselfs up to malicious parties impersonating
your IDP and doing nefarious things with your data or misusing the
services at the SP in your name.


[1] There are Free/Libre tools for that, e.g. samlsign, XmlSecTool and
    MDA (all from the Shibboleth project) or pyFF.

More information about the users mailing list