Hi, This is regarding [1] <https://wso2.org/jira/browse/IDENTITY-2803>. Currently when we send an unregistered realm or no realm with the parameter 'wtrealm' in the Passive STS request, we receive the same response as it is with the correct realm, but without the claim attributes. When an unregistered realm is passed a log is printed at back-end from RegistryBasedTrustedServiceStore. This is the expected behavior at the moment. The specification at [2] <http://public.dhe.ibm.com/software/dw/specs/ws-fedpass/ws-fedpass.pdf>, doesn't specify what to do when a invalid 'wtrealm' is passed. How ever according to [2] <http://public.dhe.ibm.com/software/dw/specs/ws-fedpass/ws-fedpass.pdf> both the 'wtreply' and 'wtrealm' are optional parameters. In section 8 in [2] <http://public.dhe.ibm.com/software/dw/specs/ws-fedpass/ws-fedpass.pdf>, as security concerns, there is a possibility of man-in-the -middle-attack when the Identity Provider doesn't verify whether the 'wtreply' is same or is in 'wtrealm'. The following part is quoted from [2] <http://public.dhe.ibm.com/software/dw/specs/ws-fedpass/ws-fedpass.pdf>.
[Man-in-the-Middle attacks: The wtreply must be in wtrealm (i.e., the same URL, or, e.g., wtreply is a host within the domain of wtrealm). It is strongly RECOMMENDED that the Identity Provider verifies this, and that wtreply is an valid HTTP/S address. • The wtrealm SHOULD be a security realm of the resource in which nobody can control URLs. • For Kerberos tokens the key distribution SHOULD distribute correct realms for the keys, so that Identity Providers know what the correct realms are for keys that they use. • For SAML tokens the resource SHOULD verify that exactly this realm is in one of the two (fix one!) fields of the ticket. • For other token types similar considerations SHOULD be made before using them. It is strongly RECOMMENDED that the resourceSTS secure information or use HTTP/S or some other transport-level security mechanism for all communications. ] As far as I understand the behavior when an unregistered realm is passed in request, is OK according to the spec [2] <http://public.dhe.ibm.com/software/dw/specs/ws-fedpass/ws-fedpass.pdfok>. Though we don't support the verification of 'wtreply' and 'wtrealm' as described in spec [2] <http://public.dhe.ibm.com/software/dw/specs/ws-fedpass/ws-fedpass.pdf> at the moment, we can enforce to verify the provided 'wtreply' in the request to be similar to the provided 'Passive STS WReply URL' when registering the Service Provider in IS. If they are not similar the user will be redirected to the given 'Passive STS WReply URL'. As far as I understand overall realm validation workflow is ok to proceed. Any suggestions on any improvement are welcome. [1] https://wso2.org/jira/browse/IDENTITY-2803 <https://wso2.org/jira/browse/IDENTITY-2803> [2] http://public.dhe.ibm.com/software/dw/specs/ws-fedpass/ws-fedpass.pdf Thank you. -- Hareendra Chamara Philips *Software Engineer* Mobile : +94 (0) 767 184161 <%2B94%20%280%29%20773%20451194> [email protected] <[email protected]>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
