Attack vectors with encrypted SAML assertion response

Question

I'm testing a web application which uses SAML SSO. SAML Response has signature and it is verified correctly if data is tampered. But I noticed that when signature is removed completely authentication to SP succeeds. In general, it's clear what is the issue/vulnerability here but assertion data is encrypted so I'm not able to modify any of the data.

I can for example login with admin level user, store response and let it expire. Then I login with lower level user, stop response and change IssueInstant etc. values to get pass of expiration and copy admin level users encrypted values to response but then I get response that assertion is expired. So it seems that assertion includes own expiration time and that is inside encrypted data.

In above scenario attacker would of course gain access to admin’s old SAML response somehow(access to admin's browser cache or with access to some logs) but that isn’t really relevant.

So question is that can there still be some real attack scenarios without ability to break used encryption of the assertion or does encryption mitigate invalid signature check completely?

Answer 1

Either the SAML response or SAML assertion should be signed and the signature verified.

An XML signature permits the identity of the sender to be confirmed and any changes to the signed XML to be detected. This ensures the integrity of the XML.

Otherwise, the SP has no way of knowing who sent the SAML response or assertion and whether it's been altered after signing.

In your scenario it's possible that the encrypted assertion is signed and the SP is verifying the assertion's signature. However, it's unusual for both the SAML response and assertion to be signed so I would question whether the assertion is actually signed.

Encrypting the SAML assertion ensures privacy but anyone with access to the SP's public key can create and encrypt an assertion.