We're currently in the process of enhancing our Windows .NET desktop application with SAML single sign-on. In order to retrieve the SAMLResponse from the IP we have the redirect/reply URL set to http://localhost/foobar. This all works fine and we can extract the SAMLResponse from the message request.
As it's going via http localhost the SAMLResponse is easily visible if you sniff the loopback adapter. Should we be concerned about this, or if the local machine is already compromised would it then be a waste of time using SSL or something else?
Many thanks.