Revision as of 01:27, 1 September 2015

Last revision (mm/dd/yy): 09/1/2015

Introduction

1 Introduction
2 Validate Message Confidentiality and Integrity
3 Validate Protocol Usage
4 Validate Protocol Processing Rules
5 Validate Binding Implementation
6 Validate Security Countermeasures
7 Authors and Primary Editors
- 7.1 Other Cheatsheets

The Security Assertion Markup Language (SAML) is an open standard for exchanging authorization and authentication information. The Web Browser SAML/SSO Profile with Redirect/POST bindings is one of the most common SSO implementation. This cheatsheet will focus primarily on that profile.

Validate Message Confidentiality and Integrity

TLS 1.2 is the most common solution to guarantee message confidentiality and integrity. Refer to SAML Security (section 4) for additional information. This step will help counter the following attacks:
- Eavesdropping 7.1.1.1
- Theft of User Authentication Information 7.1.1.2
- Theft of the Bearer Token 7.1.1.3
- Message Deletion 7.1.1.6
- Message Modification 7.1.1.7
- Man-in-the-middle 7.1.1.8
A digitally signed message with a certified key is the most common solution to guarantee message integrity and authentication. Refer to SAML Security (section 4) for additional information. This step will help counter the following attacks:
- Man-in-the-middle 6.4.2
- Forged Assertion 6.4.3

Validate Protocol Usage

This is a common area for security gaps - see Google SSO vulnerability (AVANTSSAR 2008) for a real life example. Their SSO profile was vulnerable to a Man-in-the-middle attack from a malicious SP (Service Provider). The SSO Web Browser Profile is most susceptible to attacks from trusted partners. This particular security flaw was exposed because the SAML Response did not contain all of the required data elements necessary for a secure message exchange. Following the SAML Profile usage requirements for AuthnRequest (4.1.4.1) and Response (4.1.4.2) will help counter this attack. The AVANTSSAR team suggested the following data elements should be required:

AuthnRequest(ID, SP); An AuthnRequest must contain and ID and SP. Where ID is a string uniquely identifying the request and an SP identifies the Service Provider that initiated the request. Furthermore, the request ID attribute must be returned in the response (InResponseTo="<requestId>"). InResponseTo helps guarantee authenticity of the response from the trusted IdP. This was one of the missing attributes that left Google's SSO vulnerable.
Response(ID, SP, IdP, {AA} K -1/IdP); A Response must contain all these elements. Where ID is a string uniquely identifying the response. SP identifies the recipient of the response. IdP identifies the identity provider authorizing the response. {AA} K -1/IdP is the assertion digitally signed with the private key of the IdP.
AuthAssert(ID, C, IdP, SP); An authentication assertion must exist within the Response. It must contain an ID, a client (C), an identity provider (IdP), and a service provider (SP) identifier.

Further vulnerabilities in SAML implementations were described in 2012 (On Breaking SAML: Be Whoever You Want to Be). The following recommendations were proposed in response (Secure SAML validation to prevent XML signature wrapping attacks):

Always perform schema validation on the XML document prior to using it for any security-related purposes.
- Always use local, trusted copies of schemas for validation.
- Never allow automatic download of schemas from third party locations.
- If possible, inspect schemas and perform schema hardening, to disable possible wildcard type or relaxed processing statements.
Securely validate the digital signature.
- If you only expect only one signing key, use StaticKeySelector. Obtain the key directly from the identity provider, store it in local file and ignore any KeyInfo elements in the document.
- If you expect more than one signing key, use X509KeySelector (the JKS variant). Obtain these keys directly form the identity providers, store them in local JKS and ignore any KeyInfo elements in the document.
- If you expect a heterogenous signed documents (many certificates from many identity providers, multilevel validation paths), implement full trust establishment model based on PKIX and trusted root certificates.
Avoid signature-wrapping attacks.
- Never used getElementsByTagName to select security related elements in an XML document without prior validation.
- Always use absolute XPath expressions to select elements, unless a hardened schema is used for validation.

Validate Protocol Processing Rules

This is another common area for security gaps simply because of the vast number of steps to assert. Processing a SAML response is an expensive operation but all steps must be validated.

Validate AuthnRequest processing rules. Refer to SAML Core (3.4.1.4) for all AuthnRequest processing rules. This step will help counter the following attacks:
- Man-in-the-middle (6.4.2)
Validate Response processing rules. Refer to SAML Profiles (4.1.4.3) for all Response processing rules. This step will help counter the following attacks:
- Stolen Assertion (6.4.1)
- Man-in-the-middle (6.4.2)
- Forged Assertion (6.4.3)
- Browser State Exposure (6.4.4)

Validate Binding Implementation

For an HTTP Redirect Binding refer to SAML Binding (3.4). To view an encoding example, you may want to reference RequestUtil.java found within Google's reference implementation.
For an HTTP POST Binding refer to SAML Binding (3.5). The caching considerations are also very important. If a SAML protocol message gets cached, it can subsequently be used as a Stolen Assertion (6.4.1) or Replay (6.4.5) attack.

Validate Security Countermeasures

Revisit each security threat that exists within the SAML Security document and assert you have applied the appropriate countermeasures for threats that may exist for your particular implementation. Additional countermeasures considererd should include:

Prefer IP Filtering when appropriate. For example, this countermeasure could have prevented Google's initial security flaw if Google provided each trusted partner with a separate endpoint and setup an IP filter for each endpoint. This step will help counter the following attacks:
- Stolen Assertion (6.4.1)
- Man-in-the-middle (6.4.2)
Prefer short lifetimes on the SAML Response. This step will help counter the following attacks:
- Stolen Assertion (6.4.1)
- Browser State Exposure (6.4.4)
Prefer OneTimeUse on the SAML Response. This step will help counter the following attacks:
- Browser State Exposure (6.4.4)
- Replay (6.4.5)

Need an architectural diagram? The SAML technical overview contains the most complete diagrams. For the Web Browser SSO Profile with Redirect/POST bindings refer to the section 4.1.3. In fact, of all the SAML documentation, the technical overview is the most valuable from a high-level perspective.

Authors and Primary Editors

Other Cheatsheets

V - T - E Cheat Sheets
Developer / Builder	3rd Party Javascript Management Access Control AJAX Security Cheat Sheet Authentication (ES) Bean Validation Cheat Sheet Choosing and Using Security Questions Clickjacking Defense Credential Stuffing Prevention Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cryptographic Storage C-Based Toolchain Hardening CSS Security Deserialization DOM based XSS Prevention Forgot Password HTML5 Security HTTP Strict Transport Security Injection Prevention Cheat Sheet Injection Prevention Cheat Sheet in Java JSON Web Token (JWT) Cheat Sheet for Java Input Validation Insecure Direct Object Reference Prevention JAAS Key Management LDAP Injection Prevention Logging Mass Assignment Cheat Sheet .NET Security OS Command Injection Defense Cheat Sheet OWASP Top Ten Password Storage Pinning Query Parameterization REST Security Ruby on Rails Session Management SAML Security SQL Injection Prevention Transaction Authorization Transport Layer Protection TLS Cipher String Configuration Unvalidated Redirects and Forwards User Privacy Protection Web Service Security XSS (Cross Site Scripting) Prevention XML External Entity (XXE) Prevention Cheat Sheet
Assessment / Breaker	Attack Surface Analysis REST Assessment Web Application Security Testing XML Security Cheat Sheet XSS Filter Evasion
Mobile	Android Testing IOS Developer Mobile Jailbreaking
OpSec / Defender	Virtual Patching Vulnerability Disclosure
Draft and Beta	Application Security Architecture Business Logic Security Content Security Policy Denial of Service Cheat Sheet Grails Secure Code Review IOS Application Security Testing PHP Security Regular Expression Security Cheatsheet Secure Coding Secure SDLC Threat Modeling
All Pages In This Category

@@ Line 10: / Line 10: @@
 The <i>Security Assertion Markup Language</i> (SAML) is an open standard for exchanging authorization and authentication information. The <i>Web Browser SAML/SSO Profile with Redirect/POST bindings</i> is one of the most common SSO implementation. This cheatsheet will focus primarily on that profile.
-=Validate Message Confidentiality and Integrity=
+= Validate Message Confidentiality and Integrity =
 * [[Transport Layer Protection Cheat Sheet|TLS 1.2]] is the most common solution to guarantee message confidentiality and integrity. Refer to [http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf SAML Security (section 4)] for additional information. This step will help counter the following attacks:
@@ Line 22: / Line 23: @@
 **Man-in-the-middle 6.4.2
 **Forged Assertion 6.4.3
 =Validate Protocol Usage=
@@ Line 44: / Line 46: @@
 ** Never used getElementsByTagName to select security related elements in an XML document without prior validation.
 **Always use absolute XPath expressions to select elements, unless a hardened schema is used for validation.
 =Validate Protocol Processing Rules=
@@ Line 55: / Line 58: @@
 ** Forged Assertion (6.4.3)
 ** Browser State Exposure (6.4.4)
 =Validate Binding Implementation=
@@ Line 60: / Line 64: @@
 *For an HTTP Redirect Binding refer to [http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf SAML Binding] (3.4). To view an encoding example, you may want to reference RequestUtil.java found within [https://developers.google.com/google-apps/sso/saml_reference_implementation_web Google's reference implementation].
 * For an HTTP POST Binding refer to [http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf SAML Binding] (3.5). The caching considerations are also very important. If a SAML protocol message gets cached, it can subsequently be used as a Stolen Assertion (6.4.1) or Replay (6.4.5) attack.
 =Validate Security Countermeasures=
@@ Line 75: / Line 80: @@
 Need an architectural diagram? The [http://www.oasis-open.org/committees/download.php/11511/sstc-saml-tech-overview-2.0-draft-03.pdf SAML technical overview] contains the most complete diagrams. For the Web Browser SSO Profile with Redirect/POST bindings refer to the section 4.1.3. In fact, of all the SAML documentation, the technical overview is the most valuable from a high-level perspective.
 = Authors and Primary Editors =
@@ Line 80: / Line 86: @@
 * [http://bradbroulik.blogspot.dk/2010/01/bulletproof-sso-with-saml-20.html Brad Broulik]
 * [https://ipsec.pl/ Paweł Krawczyk]
 == Other Cheatsheets ==

Difference between revisions of "SAML Security Cheat Sheet"

Revision as of 01:27, 1 September 2015

Introduction

Validate Message Confidentiality and Integrity

Validate Protocol Usage

Validate Protocol Processing Rules

Validate Binding Implementation

Validate Security Countermeasures

Authors and Primary Editors

Other Cheatsheets

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools