Should the module issue a warning or an error if the WS-Ressource isn't secured (over https)

[AlistairDoswald]

A 2005 study formally proves that WS-Fed is secure under certain conditions. One of the important conditions of that proof relies on the fact that the communication between the user and the WS Ressource is done over a secure channel. Currently, this can certainly be done, but should we ensure this by making the use of non-secure channels impossible (error message and refusal to save), or at least warn the user that without the secure channel the IDP and client are vulnerable?

[brat000012001]

Alistair, KC Administrators can configure whether to allow plain HTTP access to the realm and all of its resources (protocols, etc), shouldn't it be enough?

[AlistairDoswald]

As far as I know, a KC administrator can only decide if the KC realm will allow http or https connection to it with the Realm Settings > Login > Require SSL value. However, it doesn't have any influence on whether the communication between user and client/WS-Resource/SP is secured or not. You should be able to force this however by specifying that a client's Valid Redirect URIs is of the form https://host:port/....

My question was basically whether we should enforce the use of the https in the Valid Redirect URIs. I also discussed the matter yesterday with a colleague who's more security-oriented than me. We've arrived at the conclusion that since KC doesn't require strict security for the other protocols (the signature of documents can even be removed for the SAML protocol), and doesn't even warn when using unsafe settings, we shouldn't either. I'll get around to adding it in the documentation however (including web-documentation).

However, I haven't completely abandoned the idea of making the interface a little more explicit and displaying a warning when unsafe settings are used.