Highest Voted 'saml' Questions - IT Security Stack Exchange

0

votes

0 answers

Authenticate via SAML without establishing SSO session

My SaaS application offers enterprise customers the option to use SAML to authenticate their user population against their own Identity Provider. This normally works fine, however I am looking for advice on an edge case related to shared devices. I…

sso saml

asked Feb 03 '22 at 17:15

yui91749

1
1

0

votes

1 answer

How does one detect and deter golden SAML attacks?

How does one defend, detect and deter golden SAML attacks?

attacks defense detection saml

asked Jan 21 '21 at 15:37

Nathan Aw

1
7
12

0

votes

1 answer

How an IDP sends SAML assertion to an SP?

I'm new to security concepts. I am studying how SAML works and I'm confused about how IDP sends SAML assertion to SP. I searched on the internet and I found out two scenarios are possible. First is when you authenticate to an IDP, the IDP sends the…

authentication authorization sso saml

asked Dec 05 '20 at 09:18

Sobhan Safdariyan

3
1

0

votes

0 answers

How to decrypt encrypted SAML assertion using private RSA key?

Our system supports SAML2 and acts as service provider. Our customer uses ADFS as identity provider. Metadata has been exchanged and the connection works. Unfortunately our system complains about the SAML…

encryption cryptography openssl rsa saml

asked Aug 17 '20 at 15:10

oschlueter

101
3

0

votes

1 answer

App-to-app or service-to-service authentication using federated login

I have an application Foo that exposes a web-based portal as well as a REST API service via HTTPS. When a human user connects to the app Foo to use its web-based portal, the human user is first redirected to an OAuth2-based login page. Once the…

authentication oauth2 sso saml federation

asked Aug 09 '20 at 18:30

Lone Learner

968
1
9
18

0

votes

2 answers

Do SAML responses containing encrypted assertions provide protection against MiTM attacks?

A previously asked question touches on topics which are very similar to what I am having trouble understanding. In a web application I am testing, SAML SSO is brokered using Keycloak. The SAML Response messages contain Encrypted Assertions…

saml

asked Jun 29 '20 at 16:30

Charles

1
1

0

votes

1 answer

Is this possible in SAML?

Scenario: Consider a huge and diverse federation of Identity (IDPs) and Service (SPs) providers. Since trust level is generally low, Identity providers are reluctant to give out any kind of personal identifiable information (PII). Now there are some…

certificates saml

asked Apr 15 '20 at 10:13

jk - Reinstate Monica

1,658
1
11
18

0

votes

0 answers

SAML and Multi-factor auth

I have an application that is a SAML SP, authenticating users via inbound SAML assertions from some other IdP. If I want to require multi-factor auth, is it a common practice to add multi-factor auth on the SAML SP side, on top of validating the…

multi-factor saml

asked Feb 11 '20 at 19:34

wrschneider

161
1
2

0

votes

0 answers

Security of a web app with AzureAD auth

The company I work for is about to publish a custom web app (hosted in AWS) that authenticates through AzureAD. That way, when someone goes to https://www.mywebap.com it is redirected to AzureAd and, if successfully authenticated, access is…

authentication web-application saml

asked Jan 29 '20 at 22:17

cimetheshine

1

0

votes

1 answer

Could SAML assertion/token be shared or reused between service providers?

SAML noob here, I have an idea implementing permission(authorization) outside of IdP, which effectively become a "Permission Service Provider", so say when an application (another service provider) that authenticate against the IdP via saml…

saml

asked Sep 03 '19 at 03:15

James Lin

111
2

0

votes

2 answers

SSO Log Users Out Based on IP Address

We would like to implement SAML based SSO for our organization. We do not want employees to be able to access specific accounts outsides of specific hours and IP ranges. (We do not want to setup a VPN for that use-case for multiple…

corporate-policy sso saml

asked Jul 07 '19 at 00:36

interestedparty

1
1

0

votes

1 answer

Shibboleth SP two resources and two IDPs

I am looking for some recommendation / advice, with the following scenario: Using apache 2.4 and Shib 2. The setup is SP initiated. Only one Apache web server I am protecting two resources. example.com/siteA example.com/siteB SiteA's IDP is…

sso saml shibboleth

asked May 03 '19 at 18:56

Darragh

1,102
9
15

0

votes

0 answers

Azure AD Application Proxy Security Concerns + Azure Application Gateway (WAF) Better?

I am still new to security and still learning the basics so was interested in getting some feedback on two Azure services. Edit: We are a school and the application's host 4000+ parent and student records including medical records so security is…

proxy saml waf azure

asked Mar 26 '19 at 19:38

Andrew P

1
2

0

votes

1 answer

Attack vectors with encrypted SAML assertion response

I'm testing a web application which uses SAML SSO. SAML Response has signature and it is verified correctly if data is tampered. But I noticed that when signature is removed completely authentication to SP succeeds. In general, it's clear what is…

authentication saml

asked Dec 12 '18 at 20:17

MKT

111
3

0

votes

1 answer

SAML nameID impersonation

We are using the nameId from the SAML response (in email format) to identify and authorize the incoming user on our system. Could a different authenticated user not alter the SAML response from their redirection to have a different known nameId.…

saml

asked Feb 23 '18 at 09:50

Rob Powell

103
1

Questions tagged [saml]