Security concerns with providing SAML metadata on public URL

Question

I am wondering whether there are any major security concerns with providing metadata for SAML configuration on a public URL versus providing the IdP or SP with a metadata file. The metadata includes a public key for encryption.

If there are any security concerns what are they?

Answer 1

• The concerns are:
  • certificate verification bugs, such as CVE-2024-6800
  • futuristic quantum attacks

Replying to comment: "No, there are no security concerns in providing the metadata as a public resource."

• Except when there are "Improper Verification of Cryptographic Signature" bugs, such as CVE-2024-6800...

"The security issue is identified as CVE-2024-6800 and received a 9.5 severity rating as per the CVSS 4.0 standard. It is described as an XML signature wrapping problem that occurs when using the Security Assertion Markup Language (SAML) authentication standard with certain identity providers.

“On GitHub Enterprise Server instances that use SAML single sign-on (SSO) authentication with specific IdPs utilizing publicly exposed signed federation metadata XML, an attacker could forge a SAML response to provision and/or gain access to a user account with site administrator privileges.” – GitHub"

"Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication."

• There's also the possible quantum attacks that could appear in the future with Shor’s quantum algorithm that was invented in 1994. But as far as I'm aware, quantum attacks aren't in the present or near future yet.

Answer 2

For those asking themselves, "Should I really make security decision based on this post?" I would respond that Microsoft makes SAML metadata readily available via public URLs. See this reference: https://learn.microsoft.com/en-us/entra/identity-platform/federation-metadata. If Microsoft felt this data were sensitive, they would not do this. And, therefore, it is okay to (re-)post via a public URL.

Answer 3

It depends on security requirements of your organization.

• If your organization doesn't want to protect public key material, then you can publish, allow unlimited and unauthenticated access to SAML metadata.

• If your organization want to protect public key material, then protect the SAML metadata against unlimited and unauthenticated access.

As per Public Key Cryptography, public keys are meant to be freely shared between parties, but in this context, your organization's security team have to decide whether the public key material should be made available to intended party only or publicly available to all.

Answer 4

No, there are no security concerns in providing the metadata as a public resource.

Public keys will usually be provided in the metadata for verifying the signature (with the public key, the service provider - consumer - can verify that the SAML response sent by the identity provider has not been tampered with).

For encryption (optional in SAML), the service provider will need to send its public key to the identity provider. With the public key, the identity provider will be able to encrypt the response and only the service provider (with the private key) will be able to decrypt it.