565
szerkesztés
Módosítások
a
→Security
== Non-trivial settings ==
=== Security ===
SAML Single Logout Profile requires the logout requests and responses to be signed or otherwise integrity protectedauthenticated. Without this, a user session could be DOS-ed knowing the NameID.
Signing messages is quite common for front-channel messages but is normally unnecessary for back-channel, as the transport is usually authenticated with the certificates in the metadata. However, for back-channel logout it is the IdP who initiates the HTTP connection to the SP, and it is the '''webserver''', who answers the request. Because of the different needs, the webserver almost always uses a different certificate (a well-known server certificate) than the SP (possibly self-signed, client certificate). '''Therefore the SP must sign back-channel messages to authenticate itself to the IdP.'''
