|Description||SAML Communications: Service Providers should use secure network protocols such as TLS or IPsec should be used to provide integrity and confidentiality protection of SAML communications. In addition, the following measures should be implemented to counter replay, denial of service and other forms of attacks:
(a) Clients should be required to authenticate at some level below the SAML protocol level (for example, using the SOAP over HTTP binding, with HTTP over TLS/SSL, and with a requirement for client-side certificates that have a trusted Certificate Authority at their root) to provide traceability and counter DOS attacks.
(b) Use of the XML Signature element [ds:SignatureProperties] containing a timestamp should be required to determine if a signature is recent to counter replay attacks.
(c) Maintaining state information concerning active sessions, and validate correspondence.
(d) Correlation of request and response messages.
|Network Type(s)||Cable; Internet/Data; Satellite; Wireless; Wireline|
|Industry Role(s)||Service Provider|
|Keyword(s)||Cyber Security;Encryption;Information Protection;Intrusion Detection;|
|Reference/Comments||OASIS, Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0.|