-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sign SAML auth requests #1112
Comments
It's certainly possible, but when we designed the library we found that it doesn't add significant security. Do you have any evidence to the contrary? |
We would like that feature in order to restrict SAML Authentication requests arriving on our IdP to requests originating from a trusted relying party only. |
Yes, I understand that, but why? From my (still limited) understanding, the power of an adversary to request authentication responses does not lead to any dangerous attacks. The attacker still needs to have credentials from a legitimate user that is to be attacked in order to authenticate against the IdP, and can only use the response for a few minutes, and only against the wire team the IdP thinks it sends it to. (I'm not trying to be difficult, it's just that easiest way to get this into the feature pipeline is a cryptographic reason.) |
It can lead to bruteforce attacks. |
Brute force should be prevented by throttling on the IdP side, but you do have a point in that it's always better to have two counter-measures than one. I will bring it up and we'll get back to you. |
Hello |
Hello,
There is no signing cert in Wire SAML metadata file.
Would it be possible for you to implement the signing of SAML authentication requests please?
The text was updated successfully, but these errors were encountered: