Not an expert on the subject, I wanted to understand if a public key such as the one used for signing saml tokens by a STS such as ADFS can be retrieved on-demand automatically by a relying party server. Is anything like this possible or does the public key need be deployed manually to servers requiring it? Do standards like SAML allow embedding a URL in the saml token for downloading the public key when needed? Is anything like this simply a crazy idea from a security standpoint?
Asked
Active
Viewed 739 times
1 Answers
0
The ADFS keys are all in the metadata.
The metadata is always publically available via a URL.
In addition, the RP normally requires the metadata to do the initial config. on its side.
rbrayb
- 46,440
- 34
- 114
- 174
-
When you say metadata you mean the identity provider's metadata? That this mean that there is no need to manually distribute on service providers the STS encryption public key? – whatever Oct 03 '17 at 15:25
-
Yes and yes, no need to distribute key. – rbrayb Oct 03 '17 at 17:56
-
I wonder how difficult it would be to provide the same functionality in a custom built STS. I'm developing a STS that will be returning SAML tokens based on a set of permissions returned by another platform that will also be responsibile for validating the provided credentials. – whatever Oct 04 '17 at 12:29
-
This stuff is always a lot harder than it looks and you need to ensure that it is secure. – rbrayb Oct 04 '17 at 17:53