0

After the install.sh of 2.4.0 Shibboleth Identity Server, the idp-metadata.xml file is created. Why is that? Is not enough secure to use the standard HTTPS/443 port?

    <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.example.com:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
    <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.com:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.com:8443/idp/profile/SAML2/SOAP/SLO" />
    <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.example.com:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
    <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.com:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>

Thanks,

Tamas

toma
  • 1
  • 1
  • Maybe because opening port 443 requires root privs, and for security, don't use root privs? – NickW Jun 03 '14 at 16:51
  • Cross-post: http://stackoverflow.com/q/24019046/1591669 – unor Jun 04 '14 at 16:59
  • @NickW that is not the case here. – cstamas Jun 08 '14 at 18:30
  • Since the IdP should use valid (or trusted by the SPs) cert, I can't see any good point why and additional port would be necessary. So rephrasing it, why we need the Shibboleth IdP to use more than one port, especially if we need to expose it to the internet, eg. to create federation with the could vendors, so the (both) ports should be available for all SAML profiles. Why not using only one trusted SSL hardened standard (maybe reverse proxied) HTTPS port for everything? – toma Jun 13 '14 at 13:49

1 Answers1

1

Port 8443 used in a special way: it has idp certificate associated with that port (which is usually a self-signed one). At the same time port 443 uses a well known certificate.

cstamas
  • 6,707
  • 25
  • 42