Security Assertion Markup Language (SAML) is an open standard that enables single sign-on (SSO) by allowing an identity provider (IdP) to pass authentication credentials to a service provider (SP). Users authenticate once with their identity provider and can then access multiple applications without re-entering credentials. SAML uses XML-based assertions to communicate identity information between parties.
How It Works
In a typical SAML flow, a user attempts to access a service provider application. The SP generates a SAML authentication request and redirects the user's browser to the identity provider. The IdP authenticates the user, often through existing credentials or an active session, and generates a SAML response containing an assertion. This assertion includes the user's identity, attributes like roles or group memberships, and conditions such as validity time windows. The assertion is digitally signed by the IdP and sent back to the SP through the user's browser.
The service provider validates the SAML response by verifying the digital signature against the IdP's public key, checking that the assertion has not expired, and confirming that the assertion was intended for that specific SP. Once validated, the SP creates a local session for the user based on the attributes provided in the assertion. The entire exchange happens through browser redirects and POST requests, with the user experiencing a seamless login.
SAML implementations have a history of security vulnerabilities. XML signature wrapping attacks manipulate the structure of the SAML response to move the signed assertion away from the verified portion, causing the SP to process an unsigned, attacker-modified assertion. Comment injection in the NameID field has been used to impersonate other users. Misconfigured SPs that do not validate signatures, accept expired assertions, or fail to verify the audience restriction field are all common findings during security assessments.
Why It Matters
SAML is widely deployed in enterprise environments for single sign-on. Because it serves as the gateway to multiple applications, a vulnerability in the SAML implementation can grant an attacker access to every application in the SSO ecosystem. Security assessments of SAML implementations focus on signature validation, assertion parsing, replay protection, and IdP/SP trust configuration, as weaknesses in any of these areas can lead to authentication bypass.
Need your application tested? Get in touch.