tags:

views:

593

answers:

2
+4  Q: 

Convenient applications for Browser/POST and Browser/Artifact SAML profiles

I'm proposing the use of SAML 1.1 as technology to prove Web SSO in a customer environment, and they asked me something interesting:

Which scenario Browser/POST profile is appropriate, and which scenarios Browser/Artifact profile of SAML is appropriate?

In fact, SAML 1.1 Specifications don´t talk about the best neither most appropriate scenario for both Browser profiles.

Maybe security threats of each one can be used to pick up the best. In my vision, both can be applyed equally in any scenario so far.

*Note: The solution uses Weblogic Server 10.0 and its support to SAML 1.1.

+3  A: 

It seemed to me that both profiles offer similar levels of security. With the POST profile, the user has to explicitly initiate the POST. This might help to thwart something along the lines of a CSRF attack, but I don't know of any actual exploits. The Artifact profile, with its use of the GET method, can provide a more seamless experience for the user.

For me, the drawback to the Artifact profile is the complexity in opening the back channel. My application server dedicates a thread to handling the user request, and if that thread is blocked (waiting for the back-channel IO to complete) for very long, the app server begins to perform very poorly. So, the back-channel communication has to be performed very carefully to ensure that it times out after a defined period of time.

Even then, if the IdP is down having trouble, it's not as obvious to my users that the fault is at the IdP. With a POST profile, if the IdP is misbehaving, users are less likely to blame me.

erickson  2009-05-13 18:55:19
Even using Artifact, the user must obtain it from the IdP. So, the first contact with this Party is an obligation. But you are right in the back-channel issue. Mybe the POST will be selected. Let see the next answers.Really thanks Erickson.
paulosuzart  2009-05-13 19:34:55
+2  A: 

In terms of security, the main difference is that, with POST profile, the SAML response (containing the assertion) travels via the end-user's browser, so it MUST be at least signed, and possibly encrypted, if there's anything you wouldn't want the end-user to be able to see.

With the artifact profile, you can use SSL to secure the back-channel and send an unsigned, unencrypted assertion, since it is passed directly from the IdP to the SP. You may still want to sign the assertion for non-repudiation, though.

As Erickson mentions, though, setting up the outbound 'back-channel' connection from the SP to the IdP comes with its own challenges. Most SAML deployments I've seen use POST for this reason.

BTW - any reason you're using SAML 1.1 rather than 2.0?

metadaddy  2009-06-10 18:04:07

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security