Identity Providers (IdP) often provide a metadata file that is used when setting up SAML. This file needs to be entered into a Service Provider (SP). Do we need to keep this metadata file private and secure? Or is the information within it all safe to make public? I'm curious when setting up a service provider what level of protection we must place on this information.
Asked
Active
Viewed 3,150 times
1 Answers
10
The metadata file doesn't have any sensitive information in it. It provides information that the SP can use to trust an assertion coming from [IdP] (so no one else can claim to be [IdP]). The typical information it contains are: SSO URL, issuer name, and the certificate containing the PKI "public" key. All of these are pretty much public anyway (as any user can see them in the SAML assertion if they capture it in the browser). With this information, the bad guy cannot really do anything.
Source link went dead.
Tom K.
- 7,913
- 3
- 30
- 53
Ben McCann
- 319
- 2
- 10
-
Couldn't someone perform MITM later if the metadata exchange is intercepted from the beginning? – musiKk Feb 17 '15 at 14:26
-
@musiKk leveraging a MitM position is largely impractical with properly deployed SAML 2.0 IdPs and SPs since the messages are encrypted and cryptographically signed. The attacker would need to break the private keys to take advantage of a MitM position. Even MitB (Man-in-the-Browser) can be mitigated somewhat since SAML IdPs can be very practically deployed to whitelist locality (LAN, trusted network, VPN). – Alain O'Dea Jun 29 '15 at 18:51