[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: Shibboleth IdP in a WAF
From:       "Cantor, Scott via users" <users () shibboleth ! net>
Date:       2024-04-15 12:34:00
Message-ID: 7DA06023-CDF3-49CE-ACDD-8B5C80269E66 () osu ! edu
[Download RAW message or body]

> Can anyone else share how they are accomplishing this?

The lockout feature inside the IdP, but that's not about DOS protection, which is a \
network consideration. You can't do anything about that at the app layer without \
spending far more time than makes sense, and there would be other attacks possible \
below layer 7 anyway.

> Is there a  way to add a response header to indicate when a failure
> occurs?

No, but it's a reasonable request. There probably is a way to hack somethiing in \
there based on a custom audit extractor function running for the password flow audit \
log.

-- Scott


-- 
For Consortium Member technical support, see \
https://shibboleth.atlassian.net/wiki/x/ZYEpPw To unsubscribe from this list send an \
email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]