Integrating SimpleSAMLPHP with Non-HTTPS Website
24 views
Skip to first unread message
Lazuardi Nasution
Sep 13, 2013, 11:26:20 PM9/13/13
to simple...@googlegroups.com
Hi,
When I try to integrate my website (HTTP) with SimpleSAMLPHP, it seem that I must use HTTP URI too on SP Remote metadata at IDP, for example on AssertionConsumerService and SingleLogoutService. If I try to set them with HTTPS URI , there will be error. Is this way still secure, I mean to set SP Remote metadata with HTTP URI due to the integration with HTTP website? If not, how to make it secure?
Best regards,
Peter Schober
Sep 16, 2013, 12:09:11 PM9/16/13
to simple...@googlegroups.com
* Lazuardi Nasution <mrxlaz...@gmail.com> [2013-09-16 16:22]:
with HTTPS-protected endpoints when your webserver does not support
HTTPS at al, that doesn't surprise me. What did you expect to happen?
> Is this way still secure, I mean to set SP Remote metadata with HTTP
> URI due to the integration with HTTP website? If not, how to make it
> secure?
That depends. TLS/SSL to the SP will protect the data in transit from
the web browser to the SP's web server.
If you encrypted the data from the SAML IDP to the SAML SP you
wouldn't really need TLS for the protection of the initial
transmission of the SAML assertion to the SP (or rather the data
therein) but (a) browsers will issue a security warning when HTTP
POST-ing from a TLS/SSL protected IDP to the plain-HTTP SP, and (b)
more importantly, much of the security SAML provides is null and void
if anyone could just steal a HTTP session cookie from your plain-HTTP
webserver (where the SP runs, i.e., your valuable resource),
side-stepping SAML completely.
-peter
> When I try to integrate my website (HTTP) with SimpleSAMLPHP, it seem that
> I must use HTTP URI too on SP Remote metadata at IDP, for example
> on AssertionConsumerService and SingleLogoutService. If I try to set them
> with HTTPS URI , there will be error.
If you're saying that you get an error when configuring your SAML SP
> I must use HTTP URI too on SP Remote metadata at IDP, for example
> on AssertionConsumerService and SingleLogoutService. If I try to set them
> with HTTPS URI , there will be error.
with HTTPS-protected endpoints when your webserver does not support
HTTPS at al, that doesn't surprise me. What did you expect to happen?
> Is this way still secure, I mean to set SP Remote metadata with HTTP
> URI due to the integration with HTTP website? If not, how to make it
> secure?
the web browser to the SP's web server.
If you encrypted the data from the SAML IDP to the SAML SP you
wouldn't really need TLS for the protection of the initial
transmission of the SAML assertion to the SP (or rather the data
therein) but (a) browsers will issue a security warning when HTTP
POST-ing from a TLS/SSL protected IDP to the plain-HTTP SP, and (b)
more importantly, much of the security SAML provides is null and void
if anyone could just steal a HTTP session cookie from your plain-HTTP
webserver (where the SP runs, i.e., your valuable resource),
side-stepping SAML completely.
-peter
Reply all
Reply to author
Forward
0 new messages