I'm adding support for SAML/ADFS/Azure ACS and read that untrusted metadata poses a risk.
Considering that ADFS does background refreshes of the metadata, as do some RPs, can someone explain the risk, and how that relates to the automatic refresh feature?
My thought is that I should disable Auto-Refresh to avoid being affected by another server's exploits.
Well, more accurately it says that untrusted relying parties pose a risk.
If you accept token requests from any RP then an attacker could easily gather a fair bit of information about a user. That is the risk. If you only repond to requests from RP's that you know and trust then the liklihood that an attacker can gather the same information is less likely.
Untrusted metadata on its own isn't really all that risky. It only becomes risky if you start to consume it.
If someone compromises the metadata of a trusted RP then they can do a few things. They can modify the default set of requested claims (but it's still up to the STS to fulfill that request), they can modify the signing key or the encryption key, allowing for man in the middle or related attacks, they can modify the contact details of the administrator, or they can modify the endpoints that tokens are sent to.
The biggest threat IMO is changing the keys. This doesn't necessarily affect the security of the STS directly though, just the RP. Of course, you could be held responsible because you accepted the change of keys, blah blah blah.
The only time I allow metadata to be automatically refreshed is during development. For production deployments I copy the metadata locally and verify it before adding it.
