Requirements are often phrased in terms of (mutual) authentication, integrity, and confidentiality, leaving the choice of security mechanism to implementers and deployers. The primary SAML use case is called Web Browser Single Sign-On (SSO). A user utilizes a user agent (usually a web browser) requests a web resource protected by a SAML service provider. The service provider, wishing to know the identity of the requesting user, issues an authentication request to a SAML identity provider through the user agent.
The following sections analyze the security risks in using and implementing SAML and describe countermeasures PHPKB SAML SSO plugin use to mitigate the risks.
At the level of the SAML assertion itself, there is little to be said about security concerns. Most concerns arise during communications in the request/response protocol, or during the attempt to use SAML by means of one of the bindings. The consumer is, of course, always expected to honor the validity interval of the assertion and any elements that are present in the assertion. However, one issue at the assertion level bears analysis: an assertion, once issued, is out of the control of the issuer. This fact has a number of ramifications. For example, the issuer has no control over how long the assertion will be persisted in the systems of the consumer; nor does the issuer have control over the parties with whom the consumer/service provider will share the assertion information. These concerns are over and above concerns about a malicious attacker who can see the contents of assertions that pass over the wire unencrypted (or insufficiently encrypted). While efforts have been made to address many of these issues within the SAML specification, nothing contained in the specification will erase the requirement for careful consideration of what to put in an assertion. At all times, issuers should consider the possible consequences if the information in the assertion is stored on a remote site, where it can be directly misused, or exposed to potential hackers, or possibly stored for more creatively fraudulent uses. Issuers should also consider the possibility that the information in the assertion could be shared with other parties, or even made public, either intentionally or inadvertently.
The following sections describe security considerations for the SAML request-response protocol itself, apart from any threats arising from use of a particular protocol binding.
The SAML protocol is susceptible to a denial of service (DOS) attack. Handling a SAML request is potentially a very expensive operation, including parsing the request message (typically involving construction of a DOM tree), database/assertion store lookup (potentially on an unindexed key),construction of a response message, and potentially one or more digital signature operations. Thus, the effort required by an attacker generating requests is much lower than the effort needed to handle those requests.
PHPKB SAML SSO plugin/module signs request, also narrows the order of the asymmetry between the work done by the SAML plugin and responder. The additional work required of the responder to verify the signature is a relatively small percentage of the total work required of the responder, while the process of calculating the digital signature represents a relatively large amount of work for the requester. Narrowing this asymmetry decreases the risk associated with a DOS attack. Note, however, that an attacker can theoretically capture a signed message and then replay it continually, getting around this requirement. This situation can be avoided by requiring the use of the XML Signature element <ds:SignatureProperties> containing a timestamp; the timestamp can then be used to determine if the signature is recent. So the narrower the window of valid signature after the issue of response, the higher security you have against replay denial of service attacks.
The security considerations in the design of the SAML request-response protocol depend to a large extent on the particular protocol binding (as defined in the SAML bindings specification [SAMLBind]) that is used. The bindings sanctioned by the OASIS Security Services Technical Committee are the SOAP binding, Reverse SOAP Binding (PAOS), HTTP Redirect binding, HTTP Redirect/POST binding and HTTP Artifact binding and SAML URI bindings. PHPKB SAML SSO plugin support Http-Redirect and Http-POST bindings.
2.1.2. Denial of Service
Threat: Malicious redirects to Identity Provider or Service Provider targets.
Description: A spurious entity could issue a redirect to a user agent so that the user agent would access a resource that disrupts Single Sign-On. For example, an attacker could redirect the user agent to a logout resource of a service provider causing the Principal to be logged out of all existing authentication sessions.
Countermeasures: Access to resources that produce side effects are specified with a transient qualifier that must correspond to the current authentication session. Alternatively, a confirmation dialog could be interposed that relies on a transient qualifier with similar semantics.
2.2.1. Stolen Assertion
Threat: If an eavesdropper can copy the real user’s SAML response and included assertions, then the eavesdropper could construct an appropriate POST body and be able to impersonate the user at the destination site.
Countermeasures: We maintain confidentiality whenever a response is communicated between SAML SSO plugin and the user’s browser. This provides protection against an eavesdropper obtaining a real user’s SAML response and assertions. If an eavesdropper defeats the measures used to ensure confidentiality, additional countermeasures are available:
2.2.2. Forged Assertion
Threat: A malicious user, or the browser user, could forge or alter a SAML assertion.
Countermeasures: The browser/POST profile requires the SAML response carrying SAML assertions to be signed, thus providing both message integrity and authentication. The PHPKB SAML SSO plugin verifies the signature and authenticate the issuer.
2.2.3. Browser State Exposure
Threat: The browser/POST profile involves uploading of assertions from the web browser to a Service Provider site. This information is available as part of the web browser state and is usually stored in persistent storage on the user system in a completely unsecured fashion. The threat here is that the assertion may be “reused” at some later point in time.
Countermeasures: Assertions communicated using this profile must always have short lifetimes and should have a <OneTimeUse> SAML assertion <Conditions> element. Service Provider sites are expected to ensure that the assertions are not re-used.
Threat: Replay attacks amount to re-submission of the form in order to access a protected resource fraudulently.
Countermeasures: The PHPKB SAML SSO plugin mandates that the assertions transferred have the one-use property, preventing replay attacks from succeeding.
2.2.5. Modification or Exposure of state information
Threat: Relay state tampering or fabrication. Some of the messages may carry a <RelayState> element, which is recommended to be integrity-protected by the producer and optionally confidentiality-protected. If these practices are not followed, an adversary could trigger unwanted side effects. In addition, by not confidentiality-protecting the value of this element, a legitimate system entity could inadvertently expose information to the Identity Provider or a passive attacker.
Countermeasure: Follow the recommended practice of confidentiality- and integrity- protecting the RelayState data. Note: Because the value of this element is both produced and consumed by the same system entity, symmetric cryptographic primitives could be utilized.
The SAML profiles specification [SAMLProf] defines profiles of SAML, which are sets of rules describing how to embed SAML assertions into and extract them from a framework or protocol.
Note that user authentication at the source site is explicitly out of scope, as are issues related to this source site authentication. The key notion is that the source system entity must be able to ascertain that the authenticated client system entity that it is interacting with is the same as the one in the next interaction step. One way to accomplish this is for these initial steps to be performed using TLS as a session layer underneath the protocol being used for this initial interaction (likely HTTP).
3.1.1. SSO Profile
220.127.116.11. Message Modification
Threat: The possibility of alteration of the messages in the stream exists for this set of profiles. Some potential undesirable results are as follows:
Countermeasures: To avoid message modification, the traffic needs to be transported by means of a system that guarantees message integrity from endpoint to endpoint. For the web browser-based profiles, the recommended method of providing message integrity in transit is the use of HTTP over TLS/SSL with a cipher suite that provides data integrity checking.
3.1.2. Single Logout Profile
Threat: Passive attacker can collect a Principal’s name identifier. During the initial steps, a passive attacker can collect the <LogoutRequest> information when it is issued in the redirect. Exposing these data poses a privacy threat.
Countermeasures: All exchanges should be conducted over a secure transport such as SSL or TLS.
Threat: An Unsigned <LogoutRequest> could be injected by a spurious system entity thus denying service to the Principal. Assuming that the NameID can be deduced or derived then it is conceivable that the user agent could be directed to deliver a fabricated <LogoutRequest> message.
Countermeasures: PHPKB SAML SSO plugin/module signs the <LogoutRequest> message. The Identity Provider can also verify the identity of a Principal in the absence of a signed request.
Threat: Allow system entities to correlate information or otherwise inappropriately expose identity information, harming privacy.
Countermeasures: IDP must take care to use different name identifiers with different service providers for the same principal. The IDP should encrypt the name identifier it returns to the service provider, allowing subsequent interactions to use an opaque identifier.
3.2.1. Attribute Profiles
Threats related to bindings associated with attribute profiles are discussed above. No additional profile-specific threats are known.
Security and privacy must be addressed in a systematic manner, considering human issues such as social engineering attacks, policy issues, key management and trust management, secure implementation and other factors are outside the scope of this document. Security technical solutions have a cost, so requirements and policy alternatives must also be considered as a must legal and regulatory requirements. This non-normative document summarizes general security issues and approaches as well as specific threats and countermeasures for the use of SAML assertions, protocols, bindings and profiles in a secure manner that maintains privacy. Normative requirements are specified in the normative SAML specifications.
Whether you are looking for an in-house solution OR a cloud-hosted knowledge management software, PHPKB offers enterprise-class features with the pricing that can fit a small business budget.Purchase Now
Some of the world's best companies are our prestigious clients and proudly use PHPKB knowledge management software.
TRY BEFORE YOU BUY
Get a fully functional 30-day trial (hosted OR owned) of the PHPKB software.
Our knowledge base software is easy to use and backed by awesome support.