back-channel on front-channel port
cantor.2 at osu.edu
Tue Jun 29 12:13:09 UTC 2021
On 6/29/21, 1:51 AM, "users on behalf of Bergmann, Clemens" <users-bounces at shibboleth.net on behalf of clemens.bergmann at tu-darmstadt.de> wrote:
> thanks again for the fast reply but I don't understand fully what you are recommending.
1. Don't use the back-channel.
2. If you have to, don't use a separate port, vhost, or any form of certificate authentication in either direction.
3. The IdP and the SP automatically sign messages when a SOAP endpoint is over port 443.
4. That doesn't detect MITM relay attacks, that's simply a cost of deploying it this way.
The only one that matters is #1. You don't need the back-channel for SAML and the protocols that do need it don't use mutual TLS (and are, again, subject to MITM relay attacks by design as a result).
More information about the users