Federation Manager Guide › Federation Manager System Administration › Deployment Settings › HTTP Header Protection for a Proxy Mode Deployment at the Relying Party

HTTP Header Protection for a Proxy Mode Deployment at the Relying Party

In a proxy mode deployment at the relying party, Federation Manager passes identity attributes from the SAML assertion to backend applications using HTTP headers. In most cases, the headers are secure. However, if an unauthorized user knows an assertion attribute name they can set this name as a header in a browser and gain access to the target application. The target application sees an expected header value and grants access to the resource without Federation Manager consuming an assertion.

By specifying a value for the HTTP Header Prefix setting, you can protect against the following scenario:

1. An unauthorized user learns the names of HTTP headers. These header names include prefixes.
2. The malicious user sends an incoming request, including the headers, to Federation Manager.
3. Federation Manager recognizes that the headers containing prefixes come from an incoming request and are not generated internally so it removes these headers.
4. Before Federation Manager passes its own legitimate headers to the target application, it adds the specified prefix to each header and passes the headers to the target application.

To set the HTTP Header Prefix

1. Navigate to Infrastructure, Deployment Settings.
2. Enter any valid string as a prefix in the HTTP Header Prefix field.

   You only see this field if you enabled Proxy Mode when installing Federation Manager.

3. Save your changes.