https://stackoverflow.com/questions/38962290/security-concerns-with-providing-saml-metadata-on-public-url
No, there are no security concerns in providing the metadata as a public resource.
Public keys will usually be provided in the metadata for verifying the signature (with the public key, the service provider - consumer - can verify that the SAML response sent by the identity provider has not been tampered with).
For encryption (optional in SAML), the service provider will need to send its public key to the identity provider. With the public key, the identity provider will be able to encrypt the response and only the service provider (with the private key) will be able to decrypt it.
No comments:
Post a Comment