Announcement Announcement Module
Collapse
No announcement yet.
Is anyone can post SAML Response Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Is anyone can post SAML Response

    Hello,

    When IDP sends saml response I can able to intercepts and create static html from SAML Response post page.

    Once I saved I can able to post the response to SP. This is kind of hack.

    The above scenario I tried in http. I know https bit harder.

    How do I prevent these kind of attack

    Please let me know.

    Thanks,
    Parthi

  • #2
    Hi Parthi,

    You can find answers to this and similar questions in the Security Considerations of SAML

    Briefly, in case of a stolen assertions there are these counter-measures provided as part of the protocol:
    - the assertion typically has limited time validity set by NotBefore and NotOnOrAfter
    - time since authentication is limited by IssueInstant and AuthnInstant
    - messages are protected with request-response ID numbers

    In case of Spring SAML Extension
    - attacker would need to be able to steal user's HTTP Session in case SP-initialized SSO is used

    Usage of SAML protocol as such doesn't guarantee that all possible scenarios are secure under all circumstances. Selection of used bindings and profiles need to be made with their constraints in mind. The above mentioned document is a good source for such information. In most situations usage of SSL/TLS transport layer security is strongly recommended.

    Vladi

    Comment

    Working...
    X