I am working on an service which provides authentication service using SAML SSO protocol for communication security.
Brief Intro :- SAML SSO recognizes Identity Provider (IP or IDP) and Service Provider, which “trusts” and delegates user authentication to IDP. Here is how trust is established: 1. Service Provider (SP): - trusted IDP name and certificate - single sign on (SSO) URL 2. Identity Provider (IDP): - relying SP name and certificate - SSO consumer URL Whenever SP needs to authenticate user, it redirects it to SSO endpoint and passes SAMLRequest wither in query string or form field (GET or POST method).
What I would like to know is that is it a requirement that the client who requires authentication should be sending request through "https" protocol or the request can also be relayed across using http channel. I am just asking is the SAML protocol mandates us to use https or not
