We are using the nameId from the SAML response (in email format) to identify and authorize the incoming user on our system. Could a different authenticated user not alter the SAML response from their redirection to have a different known nameId. Authorizing themselves as a different user on our system?
Asked
Active
Viewed 375 times
1 Answers
3
Generally, no. The SAML response and/or the assertions contain a signature that would become invalid if the underlying XML (such as the value of the NameId attribute) were altered. The relying party verifies this signature prior to trusting the contents of the assertion.
Of course, software is software and there could be bugs at either end, e.g.
- The system that generates SAML (Identity Provider) could have a bug where it allows them to specify arbitrary usernames to be placed into the assertions before the signature is added.
- The receiving system (Relying Party) could have a bug where it fails to verify the signature. It should be noted that the signature can be found in multiple places in the SAML and there's a category of bugs that allow XML signature wrapping attacks to defeat the intended validation. It is not recommended to "roll your own" signature validation. Rather, depend on one of the well-tested implementations (commercial or open source) that exist for most platforms.
But these would be rather fundamental errors. The SAML specification itself is designed to protect against exactly the problem you describe. This is why you need to obtain the public key of your IDP (either via metadata or out of band) prior to receiving any SAML assertions. They sign with their private key and you verify with the public key associated.
explunit
- 388
- 1
- 6
-
Thanks, this implementation isn't checking the signature. I'll get that added. We were sent the code by an IdP a while back and I've already had a ton of issues with it on other IdPs. It does check the certificate is valid but not the Signature. Thanks again. – Rob Powell Feb 23 '18 at 16:40
-
The SAML consumer may also have other bugs, such as once the nameID is extracted, the SAML consumer incorrectly looks up the user which allows users to be authenticated as other users. But as @explunit pointed out, this isn't an issue with SAML, but the an issue with the SAML consumer. – saghaulor Feb 23 '18 at 17:46
-
@RobPowell I added some additional cautions to point #2. Building your own SAML validation can be a very large effort to protect against all types of attacks. – explunit Feb 23 '18 at 20:12