SAML

Security Assertion Markup Language

 Entities Involved in SAML

1. Service Provider
The SP receives the authentication from the IdP and grants the authorisation
to the user.
2. Identity Provider
The IdP authenticates a user and sends their credentials along with their
access rights for the service to the SP.

 Advantages of SAML
1. SAML enables SSO
User can log in once and the same credentials will be used to log into other
SPs
2. Improved User Experience
Users only need to sign in one time to access multiple service providers.
3. Increased Security
Provides a single point of authentication. Then transfers the identity
information to the service providers.
4. Loose Coupling of Directories
Do not require user information to be maintained and synchronized between
directories
5. Reduced Costs for Service Providers
Don’t have to maintain account information across multiple services

 SAML Process Flow

1. The user tries to log in to service provider from a browser.
2. service provider responds by generating a SAML request.
3. The browser redirects the user to an SSO URL, Auth0
4. Auth0 parses the SAML request and authenticates the user. This could be with
username and password or even social login. If the user is already
authenticated on Auth0, this step will be skipped. Once the user is
authenticated, Auth0 generates a SAML response
5. Auth0 returns the encoded SAML response to the browser.
6. The browser sends the SAML response to service provider for verification.
7. If the verification is successful, the user will be logged in to service provider
and granted access to the resources that they are authorized to view/modify.
 SAML Request Breakup
1. ID
Newly generated number for identification
2. Issue Instant
Timestamp to indicate the time it was generated
3. AssertionConsumerServiceURL
The SAML URL interface of the service provider, where the Identity provider
sends the authentication token.
4. Issuer
The EntityID (unique identifier) of the service provider
5. InResponseTo
The ID of the SAML request that this response belongs to
6. Recipient
The EntityID (unique identifier) of the service provider

 SAML Response Breakup

1. Assertion
It is an XML document that has the details of the user. This contains the
timestamp of the user login event and the method of authentication used
2. Signature
It is a Base64 encoded string which protects the integrity of the assertion

 SAML Vulnerabilities
1. Signature not checked
If someone is able to change the name id (username) in the SAML response
and log in as someone else due to the lack of a signature checking process.
2. Signature only checked when it exists
If someone changes the name id value and removes the signature before the
response is received by the browser and is still able to log in as the victim
3. SAML Replay
The attacker captures the SAML response and uses it multiple times to log in
as the victim
4. Comment Injection
A user can be registered with an XML comment in the username
email: prerit<!--notprerit-->@test.com
 SAML Process Diagram