Highest Voted 'saml' Questions - IT Security Stack Exchange

32

votes

1 answer

What are the differences between JSON Web Tokens, SAML and OAuth 2?

What are the differences between JSON Web Tokens, SAML and OAuth 2. Please provide some pointers and high level overview of their functions. Specifically, why would one use SAML over JSON Web Tokens or viceversa? Does one need to have OAuth 2 to use…

asked Feb 26 '15 at 14:39

Jadiel de Armas

421
1
4
3

18

votes

1 answer

What is the purpose of AudienceRestriction in SAML 2.0?

Having read through the core specification for SAML 2.0 section 2.5.1.4 (page 23) I still cannot fully understand the purpose of the AudienceRestriction tag and what problem it is attempting to rectify. My, probably incorrect, interpretation of the…

saml

asked Apr 03 '12 at 12:45

Christoffer

1,030
1
6
14

16

votes

4 answers

How is SAML solving the cross domain single sign-on problem?

Let's say I have two websites that live on separate domains, and their service providers both talk to the same identity provider on a third domain. I log into the first website and authenticate, and now I decide to visit the second website. The…

sso saml identity-management

asked Jul 12 '13 at 00:00

user3127

15

votes

4 answers

How do the STS token formats compare to each other SAML vs SWT vs JWT?

I'm configuring an Azure ACS STS and would like to know if there is any impact on security based on the following token formats or how they are used. The answers to this questions should apply to other STSs such as CA Siteminder, Ping Identity,…

authentication sso saml azure adfs

asked Jul 31 '12 at 02:44

makerofthings7

50,090
54
250
536

13

votes

1 answer

SAML, and forcing a re-authentication

I have a use case forced upon me by industry regulation. I wish it wasn't there, but it is. A user logs in to my service, navigates around, etc. The user can perform many actions, but one of the actions requires (by industry regulation) that the…

passwords sso saml

asked May 27 '14 at 19:55

Alan C.

245
2
6

13

votes

1 answer

SAML and kerberos what to use where

I came across SAML and kerberos, both are used to establish identity using assertions (tickets) so is there an overlap in their use ? Can somebody highlight their differences and point which technology is a better fit where. thanks update to add…

authentication kerberos saml

asked Feb 11 '14 at 18:07

mzzzzb

269
1
2
6

12

votes

1 answer

SAML 2.0 IdP metadata security

Identity Providers (IdP) often provide a metadata file that is used when setting up SAML. This file needs to be entered into a Service Provider (SP). Do we need to keep this metadata file private and secure? Or is the information within it all safe…

sso saml

asked Aug 19 '14 at 17:28

Ben McCann

319
2
10

12

votes

3 answers

SAML2 vs. OAuth - What are some reasonable relationships?

I have a service that allows SSO via SAML2. When SAML2 is used, we delegate the entire authentication process to the Identity Provider. We are considering adding OAuth in order to support some mobile applications. (We don't want the user to have to…

oauth authorization saml

asked Apr 06 '13 at 15:43

brendanjerwin

255
2
7

12

votes

2 answers

Definition of "passive" and "active" authentication?

I came across the concepts of passive authentication and active authentication in my work related to SAML 2.0 single-sign-on integration. I tried very hard to find a clear, generic definition and a proper explanation on these two concepts but almost…

authentication sso saml

asked Jan 07 '16 at 08:39

Chiranga Alwis

221
2
5

12

votes

2 answers

Where should a keystore (.jks) be stored in a repository

I've got a question about the best practice in storing a Keystore file (.jks) in source control. This Keystore is called by a stand-alone Java component that retrieves a private key for the purpose of signing SAML assertions. For security purposes I…

key-management java key saml git

asked Sep 18 '15 at 14:47

rdChris

181
1
1
6

10

votes

3 answers

How to achieve seamless SSO without having the user to login again (SAML 2.0 & ADFS using OpenSSO)

We need to implement seamless SSO with ADFS SAML 2.0 using OpenSSO & we plan to go with IdP initiated GET binding. The user in client network will log in to ADFS with Windows credentials once every morning. Thereon, whenever he accesses our…

sso saml adfs

asked Dec 19 '13 at 15:38

user36009

163
1
1
5

10

votes

4 answers

Does OpenID, SAML pose a threat to Tor's anonymity? How can I protect from a compromised .exit node?

This is a thought experiment on the interaction between Tor, OpenID and one (or more) compromised nodes in the secure path. I'm focused on how to use technology in a way that adds value to a secure cloud solution. I have no interest in using this…

appsec authentication cloud-computing anonymity saml

asked Jun 05 '11 at 16:09

makerofthings7

50,090
54
250
536

10

votes

2 answers

SAML 2.0 Multiple AuthnStatements

If I interpret the SAML 2.0-protocol correctly you can have multiple AuthnStatements. What is the purpose of this? I cannot see a use case of having multiple AuthnStatements really.

saml

asked Nov 01 '15 at 17:20

Robert

233
1
6

9

votes

0 answers

SolarWinds Orion SAML compromise mass cert update

SolarWinds Orion customers have suffered some network compromises according to news reports. One report says, right at the end of the article, that SAML2.0 signing certificates may have been compromised. From the point of view of a SAML service…

certificates certificate-revocation system-compromise saml breach

asked Dec 14 '20 at 23:40

O. Jones

359
1
4

8

votes

1 answer

Why not use same certificate for webserver TLS and Signing in SAML?

I have read a bit about configuring shibboleth, and recommendations for SAML at internet2 I get the point that a certificate does not have to be signed when used for SAML, because actually only the key is needed. However, I keep seeing people…

tls certificates saml

asked Aug 19 '15 at 12:36

Jens Timmerman

252
1
9

Questions tagged [saml]