Force SOAP to use TLS1.2

btaylor · July 27, 2017, 12:50pm

Is there a way to force the SOAP message that contains the Artifact Resolve request to use TLS1.2?

We’re using the low level API, if that matters.

ComponentSpace · July 27, 2017, 4:49pm

You need to set the ServicePointManager.SecurityProtocol property.
For example:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

More information may be found at:
https://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.securityprotocol(v=vs.110).aspx
https://stackoverflow.com/questions/26414424/which-versions-of-ssl-tls-does-system-net-webrequest-support
https://stackoverflow.com/questions/29663974/wcf-client-in-net-4-51-how-to-enable-tls-1-2-when-webrequest-is-used
https://stackoverflow.com/questions/4137106/are-there-net-implementation-of-tls-1-2

btaylor · July 31, 2017, 2:33pm

Thank you. Will I need to set the same property on the IdP when I send the Artifact Response back to the SP? I’m assuming that I will need to based on what I’ve read because a ServicePoint object seems to apply to a URI scheme and host, and the IdP is on a different server than the SP.

(In this case, the SP is sending the artifact resolve to the IdP and the IdP responds to the SP with an artifact response. I’m guessing that was obvious, but wanted to clarify, just in case it wasn’t.)

ComponentSpace · July 31, 2017, 7:00pm

The SP will attempt to establish an HTTPS connection to the IdP so it can send the artifact resolve SOAP message.
The TLS algorithm to use is negotiated during the SSL handshake.
If the property is set at the IdP then the IdP requires TLS 1.2.
Similarly, if the property is set at the SP then the SP requires TLS 1.2.
As long as one of the endpoints requires TLS 1.2 and both endpoints support TLS 1.2, the connection will use TLS 1.2.
Once a connection is established, the SP will send the artifact resolve SOAP message in an HTTP request.
The IdP will return the artifact resolve SOAP message in an HTTP response.
The HTTP request and response are over the one connection rather than separate connections.
Therefore both messages are over TLS 1.2.

btaylor · August 4, 2017, 12:25pm

Thank you for the detailed response! That was exactly what I needed.

ComponentSpace · August 4, 2017, 2:16pm

Also, in case you weren’t aware, you require Windows Server 2012 or above and .NET framework v4.5 or above to support TLS 1.2.