我是否应该要求 IdP 签署 SAML2 SSO 响应? [英] Should I require IdP's to sign SAML2 SSO responses?
问题描述
我们的应用与 3 个不同的 (Shibboleth) IdP 集成了 SAML2 SSO.我们正在尝试添加第 4 个(也是 Shibboleth),但遇到了一些问题,因为我们的应用程序希望所有 SSO 响应都经过验证签名.其他 3 个正在签署他们的响应,但第 4 个没有,并且犹豫是否添加自定义配置来强制对我们的应用进行签名.
Our app has SAML2 SSO integration with 3 different (Shibboleth) IdP's. We are trying to add a 4th (also Shibboleth), but running into some issues, because our app expects all SSO responses to be verifiably signed. These other 3 are signing their responses, but the 4th is not, and is hesitant to add a custom config to enforce signing for our app.
从技术上讲,我可以修改我们的应用程序以接受未签名的 SSO 响应,但我想知道我是否应该这样做.允许未签名的 SSO 响应有哪些陷阱?是否存在安全漏洞?
Technically I could modify our app to accept unsigned SSO responses, but I am wondering whether or not I should. What are the pitfalls of allowing unsigned SSO responses? Is there any security vulnerability?
是否有任何 Shibboleth(或其他 SAML2 SSO)文档建议将响应签名作为最佳实践?
Is there any Shibboleth (or other SAML2 SSO) documentation that recommends signing responses as a best practice?
推荐答案
遵循 SAML 2.0 规范的 IdP 的唯一要求是对断言进行数字签名(请参阅 http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf - 第 4.1.3.5 节).这足以判断来自 IdP 的 SSO 操作是否应该被与其联合的 SP 信任.
The only requirement for the IdP following the SAML 2.0 spec is to digitally sign the Assertion (see http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf - section 4.1.3.5). That is enough to tell if the SSO operation from an IdP should be trusted by SP that has federated with it.
签署外部响应是可选的.它有一些安全优势,例如防止消息插入或修改(请参阅 http://docs.oasis-open.org/security/saml/v2.0/saml-sec-think-2.0-os.pdf) - 但在实践中,它经常被省略,而不是依赖 SSL/TLS.
Signing the outer Response is optional. There are some security benefits to it, such as preventing Message Insertion or Modification (see sections 6.1.3/6.1.5 in http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf) - but in practice it's often omitted in lieu of relying on SSL/TLS.
这篇关于我是否应该要求 IdP 签署 SAML2 SSO 响应?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
