Reputation: 4786
SAML2: SP/idP metadata loaded by URL safe or not?
I am managing an SAML2 enabled idP, and now I need to import an SP into the idP server.
Usually I will just download the xml from the SP, and import it into our idP.
However, I was reading a documentation which said it is possible to just use HTTP(s) to load the metadata to our idP. (https://docs.spring.io/spring-security-saml/docs/1.0.0.RELEASE/reference/html/configuration-metadata.html#configuration-metadata-idp-http)
Which seems more convenient (no need to manually re-cert), but I am concerning whether this will lower our security.
So my question is, is it safe to load SP/idP metadata by URL? If so, any reason behind it? Thanks!
Upvotes: 0
Views: 292
Answers (1)
Reputation: 4640
how you get it is secondary to how you validate it. The metadata should be signed by the issuer and your IdP, when it automatically downloads it, should verify the signature on it. A lot of IdPs use the UK Federation metadata url to automatically ingest/update SP metadata. The metadata is signed by the federation so the IdPs can verify its integrity.
Upvotes: 1
Related Questions
- Security concerns with providing SAML metadata on public URL
- SAML protected resource
- SAML metadata negotiation process
- How to securely parse SAML metadata?
- Is SAML artifact binding initiated by IdP or SP?
- How does a SAML Service Provider match an IDP metadata information?
- Why to configure SP generated metadata in SP and IDP?
- What's the use case for signed SAML IdP metadata?
- Is SAML metadata required to comply with SAML2.0 spec?
- SAML 2.0 SP metadata