This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Talk:SAML Security Cheat Sheet

Jump to: navigation, search

From Jame McGovern

1. Need to provide some guidance via links to things that could go wrong. For example, don't disable CRL/OCSP since SAML relies on certs. Should also warn against self-signed certs and prefer well-known Root CAs mandatory for transport and ideally for signing 2. SAML applications generally use hostnames to identify issuers, but saml standard allows applications to use any string. We should validate in this regard. 3. Include some guidance on sharing user identity across organizations. Make sure you aren't doing something dumb. Maybe guidance should include using opaque identifiers as outlined in Kim Cameron's law of identity

From Gunnar

Agree with James. Also, suggest adding adding a First Mile Integration and Last Mile integration section. The SAML protocol is rarely the vector of choice, though its important to have cheatsheets to make sure that this is robust. The various endpoints are more targeted, so how the SAML token is generated and how it is consumed are both important in practice.

For First Mile - Strong Authentication options for generating the SAML token - IDP validation - which IDP mints the token

For Last Mile - Validating session state for user - Level of granularity in setting authZ context when consuming SAML token (do you use groups, roles, attributes) - Validate authorized IDP

Also, a reminder that just because its a security protocol does not mean that input validation goes away. There should be a pointer to this for all SAML providers/consumers