On Wed, 9 Dec 2009, Peter Schober wrote:
> Login was via Shibboleth/SAML and over SSL (you still want an SSL-cert
> on that service, so those HTTP POST requests from an IdP that carry the
> SAML assertion still end up at HTTPS endpoints -- otherwise browsers
> will complain), but the rest was accessed via plain HTTP (using an HTTP
> cookie that's not flagged 'secure', obviously).
And is this, generally, a concern?
Our mail University website has various areas marked as "campus access
only", which are protected by IP. Which is fine if you're on-campus, not
so good if you are off-campus, and do not wish to use VPN (or cannot).
(These resources tend not even to be so very sensitive).
It wouldn't be hard to shibbolize this service and add to our local
federation, so that non-campus clients get authenticated via the IdP
instead, but of course, this website is still delivering over HTTP rather
than HTTPS. I'm happy the authentication is protected, less sure about
the potential consequences for the cookie content.
Jethro.
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK
|