Is it safe to allow HTTP for SAML 2.0 Issuer URL?

I've implemented SAML 2.0 using the ruby-saml gem in my Rails app. In this app, clients can specify their SAML idp for their account. I have a client who insists that requiring HTTPS for the Issuer URL does nothing for security. I figured this URL represents their identity provider. Because of that I figured allowing HTTP identity providers might open my app up to MITM attacks, via their app.

Is it safe to allow HTTP URLs for Issuer URLs for SAML 2.0 implementations? If so, I'd like to hear why.


Category: sso Time: 2016-07-29 Views: 0
Tags: saml sso

Related post

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development


Front-end development


development tools

Open Platform

Javascript development

.NET development

cloud computing


Copyright (C), All Rights Reserved.

processed in 0.220 (s). 12 q(s)