samlsaml-2.0

Security concerns with providing SAML metadata on public URL


I am wondering whether there are any major security concerns with providing metadata for SAML configuration on a public URL versus providing the IdP or SP with a metadata file. The metadata includes a public key for encryption.

If there are any security concerns what are they?


Solution

  • No, there are no security concerns in providing the metadata as a public resource.

    Public keys will usually be provided in the metadata for verifying the signature (with the public key, the service provider - consumer - can verify that the SAML response sent by the identity provider has not been tampered with).

    For encryption (optional in SAML), the service provider will need to send its public key to the identity provider. With the public key, the identity provider will be able to encrypt the response and only the service provider (with the private key) will be able to decrypt it.