IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [saml]

An open Single Sign On (SSO) solution for the web, a problem also addressed by OpenID.

142 questions
7
votes
2 answers

Do I have to validate Saml2 InResponseTo?

I'm implementing a SAML2 Service provider that will be running on a public facing web site. The sign in functionality is publicly available, so anyone can get hold of a AuthnRequest from my site. When I do receive a response from the Idp, do I have…
Anders Abel
  • 183
  • 1
  • 6
7
votes
2 answers

Verify SAML Response is from a Trusted Source

I'm in the process of making changes to my site so that we can be a SAML 2.0 Service Provider. We will be doing IdP initiated SAML with Out-of-Band account federation. My question is this: Given a SAML response that is posted to the target page on…
theycallmemorty
  • 193
  • 1
  • 4
7
votes
1 answer

Self-signed certificate for a IdP-initiated SAML SSO

We act as a Service Provider in a SAML SSO integration with our customers. During the dev and stage testing, we usually exchange metadata files and SSO endpoints. When forming our metadata we use the openssl command-line tool to generate a…
alecxe
  • 1,515
  • 5
  • 19
  • 34
6
votes
3 answers

Why is OAuth2/OpenID Connect considered less secure than SAML/WS-*?

The prevailing notion seems to be that OAuth2 and OpenID Connect are considered less secure than SAML/WS-Federation. From what I gather, it comes down to encryption - i.e. the fact that OAuth2/Open ID Connect do not support token encryption and…
Aashish Koirala
  • 163
  • 1
  • 1
  • 4
6
votes
1 answer

Does SAML 2.0 define how to pass username and password for authentication?

I'm aware of how SAML is used for single sign on (SSO). That is, redirection to IDP from SP and getting the user's identity from the SAML response/assertion. My question is: Does SAML 2.0 specification define how to pass username and password as…
ksrini
  • 163
  • 1
  • 4
6
votes
2 answers

Combining capability-based access control with SAML

I have been looking into various research on identity, PKI and access control trying to boil it down to a simplified methodology for IAM (Identity & Access Management). One thing which pops up in lots of places is capability-based access control, as…
Rolf Rander
  • 288
  • 1
  • 8
6
votes
4 answers

Authentication Middleware

We run a large distributed system consisting of a number (>10) of Django-based web services and web applications with a consumer base of about 10000 university students. Currently, we use a single single-sign-on system (Shibboleth) provided by our…
Jedi
  • 3,906
  • 2
  • 24
  • 42
6
votes
1 answer

Why should I trust a JSON Web Token (JWT)?

In the SAML and Kerberos authentication models, there is an explicit understanding of what authority has authenticated the user and issued the credential to be trusted by downstream systems. For purposes of identity propagation, the rights of the…
JaimeCastells
  • 1,156
  • 1
  • 9
  • 16
5
votes
1 answer

SAML Assertion to Windows Identity (Kerberos token?) transformation

This is the scenario I need to cover: A WebService that trusts on an IdP using Ws-Trust or any thing like that, receives a SAML token to authenticate the user, and we need to call some SQL Server or any kind of service that uses windows integrated…
Matt
  • 51
  • 2
5
votes
2 answers

How do Azure ACS 2.0 security features compare to ADFS 2.0?

I'm configuring my relying party (a website) to use either ADFS or Azure ACS 2.0. ADFS 2.0 has some interesting features such as Token Replay prevention (in the SQL version) and may have other SAML security features as well (which I may not…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
5
votes
2 answers

Shibboleth user attribute encryption

How does Shibboleth guarantee that 3rd parties do not get access to user attributes contained in SAML 2.0 assertion exchanged between IdP and SP? Is it correct that all user attributes are encrypted when transferred from IdP to SP? Are the user…
niklr
  • 581
  • 1
  • 4
  • 11
5
votes
1 answer

How to get better IAM understanding

I'm getting interested in Identity and Access Management (IAM), but I find it hard to find complete and understandable explanations that suit me, surely because I started wrong. I began with Wikipedia and followed discussions here and there…
Bytemare
  • 143
  • 5
5
votes
0 answers

Do I need to use SAML and JWT for auth in SSO web app?

I am new to SAML authentication process so I am just trying to figure out if I understand it so I can try to integrate my web app (Angular/Nodejs) to an existing portal that currently uses SAML as means of authentication. Once a user logs into the…
rustgamer3434
  • 51
  • 1
5
votes
1 answer

How does SAML signature exchange work between IDP and SP?

I'm trying to understand the SAML protocol 2.0 (signed) exchange. Here is what I understood so far: IDP has its own public (PB1) and private (PV1) pair SP has its own public (PB2) and private (PV2) pair Now when an IDP has to sign a data, it…
Ratatouille
  • 151
  • 2
4
votes
2 answers

Should I create one key pair per customer as Service Provider in SAML?

This is more or less the reverse of what's asked in this question. I recently added SSO with SAML to a SaaS Web application making said application the Service Provider (SP). This is done so customers (companies) can use their existing Identity…
musiKk
  • 405
  • 1
  • 4
  • 11
1
2
3
9 10