1

We're currently in the process of enhancing our Windows .NET desktop application with SAML single sign-on. In order to retrieve the SAMLResponse from the IP we have the redirect/reply URL set to http://localhost/foobar. This all works fine and we can extract the SAMLResponse from the message request.

As it's going via http localhost the SAMLResponse is easily visible if you sniff the loopback adapter. Should we be concerned about this, or if the local machine is already compromised would it then be a waste of time using SSL or something else?

Many thanks.

nblackburn
  • 111
  • 1
  • 1
    While you ask in the context of SAMLResponse I see this as a special case of the more general question, i.e. should one use SSL on localhost. Therefore marked as duplicate of several other question which basically say: there is **almost** no reason to do it. – Steffen Ullrich Mar 06 '21 at 19:36

0 Answers0