A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Trust, But Verify, Your SAML Service Providers - (BSides Nashville 2017) (Hacking Illustrated Series InfoSec Tutorial Videos)

Trust, But Verify, Your SAML Service Providers

Bruce Wilson

BSides Nashville 2017

**BLUF**: This talk will provide an overview of how SAML Authentication works, the basics of the open-source framework we're building to test SAML implementations, and our results to date using that framework. SAML (Security Assertion Markup Language) Authentication is widely used, particularly for internal Single Sign-On (SSO) and for using organizational (company or university) credentials to log into cloud services. Users can use their employer (or university) login for access to the service, and the employer gets better control and insight over cloud logins. SAML relies on public key cryptography and the service provider checking the integrity of the (signed) SAML assertion. A [2012 Usenix paper by Samorovsky et al](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf) claimed that 80% of SAML frameworks tested could be broken, allowing impersonation attacks, as a result of flaws in the integrity checking of the SAML signature. A [recent Black Hat presentation](http://www.forbes.com/sites/thomasbrewster/2016/11/03/this-hack-can-break-into-1-billion-android-app-accounts/#1a16269b14a2) showed similar flaws in many Android implementations of the related OAuth protocol. This is a serious concern, since a malicious actor could potentially impersonate any user to a flawed SAML Service Provider. We were unable to locate any working code, including from the authors of the above paper, for testing SAML implementations. So, as both a learning exercise to better understand the guts of SAML and a security tool to enable validation that our partners were using correct SAML implementations (both internally for single sign-on and externally for cloud applications), we set out to build an open-source set of tools for testing SAML service providers. We built this framework in Ruby, to complement the Cucumber testing framework in use for testing applications.

Bruce Wilson started his career as a chemist, doing large scale data analysis and developing high throughput research methods, but was drowning in data. Building tools for his own use led to building them for others, and eventually he migrated completely to being in an IT division. His recent work has focused on Identity, Credential, and Access Management, learning more of the Defense Against the Dark Arts and even a bit of offensive Magicks. JT Liso (co-author) is a third-year Computer Science student at the University of Tennessee. Currently, his interests lie within machine learning and security, hoping to find a way to combine the two to make more secure systems. After his undergraduate degree, he plans on continuing his education through UT۪s 5 years masters program, focusing his thesis on machine learning.

Back to BSides Nashville 2017 list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast