back-channel on front-channel port

[Cantor, Scott]

On 6/29/21, 1:51 AM, "users on behalf of Bergmann, Clemens" <users-bounces at shibboleth.net on behalf of clemens.bergmann at tu-darmstadt.de> wrote:

>    thanks again for the fast reply but I don't understand fully what you are recommending. 

1. Don't use the back-channel.
2. If you have to, don't use a separate port, vhost, or any form of certificate authentication in either direction.
3. The IdP and the SP automatically sign messages when a SOAP endpoint is over port 443.
4. That doesn't detect MITM relay attacks, that's simply a cost of deploying it this way.

The only one that matters is #1. You don't need the back-channel for SAML and the protocols that do need it don't use mutual TLS (and are, again, subject to MITM relay attacks by design as a result).

-- Scott