back-channel on front-channel port

Cantor, Scott cantor.2 at
Tue Jun 29 12:13:09 UTC 2021

On 6/29/21, 1:51 AM, "users on behalf of Bergmann, Clemens" <users-bounces at on behalf of clemens.bergmann at> wrote:

>    thanks again for the fast reply but I don't understand fully what you are recommending. 

1. Don't use the back-channel.
2. If you have to, don't use a separate port, vhost, or any form of certificate authentication in either direction.
3. The IdP and the SP automatically sign messages when a SOAP endpoint is over port 443.
4. That doesn't detect MITM relay attacks, that's simply a cost of deploying it this way.

The only one that matters is #1. You don't need the back-channel for SAML and the protocols that do need it don't use mutual TLS (and are, again, subject to MITM relay attacks by design as a result).

-- Scott

More information about the users mailing list