AW: back-channel on front-channel port
Bergmann, Clemens
clemens.bergmann at tu-darmstadt.de
Tue Jun 29 12:46:22 UTC 2021
Hi Scott,
thanks for the advice. That makes it very clear.
Unfortunately I have one specific implementation that uses attribute query to detect missing users to remove them in the application. In that case I would have to follow #2.
Is there documentation/papers on #4? Is it not possible to use signature AND encryption on the back-channel Requests?
Mit freundlichen Grüßen
Clemens Bergmann
--
Clemens Bergmann
Gruppe Nutzermanagement und Entwicklung
Technische Universität Darmstadt
Hochschulrechenzentrum, Alexanderstraße 2, 64289 Darmstadt
Tel. +49 6151 16 71184
http://www.hrz.tu-darmstadt.de/
> -----Ursprüngliche Nachricht-----
> Von: users <users-bounces at shibboleth.net> Im Auftrag von Cantor, Scott
> Gesendet: Dienstag, 29. Juni 2021 14:13
> An: Shib Users <users at shibboleth.net>
> Betreff: Re: back-channel on front-channel port
>
> On 6/29/21, 1:51 AM, "users on behalf of Bergmann, Clemens" <users-
> bounces at shibboleth.net on behalf of clemens.bergmann at tu-
> darmstadt.de> wrote:
>
> > thanks again for the fast reply but I don't understand fully what you are
> recommending.
>
> 1. Don't use the back-channel.
> 2. If you have to, don't use a separate port, vhost, or any form of certificate
> authentication in either direction.
> 3. The IdP and the SP automatically sign messages when a SOAP endpoint is
> over port 443.
> 4. That doesn't detect MITM relay attacks, that's simply a cost of deploying it
> this way.
>
> The only one that matters is #1. You don't need the back-channel for SAML
> and the protocols that do need it don't use mutual TLS (and are, again,
> subject to MITM relay attacks by design as a result).
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-
> unsubscribe at shibboleth.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6377 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20210629/6af91a67/attachment.p7s>
More information about the users
mailing list