Bruce Wilson

**BLUF**: This talk will provide an overview of how SAML Authentication works, the basics of the open-source framework we're building to test SAML implementations, and our results to date using that framework. SAML (Security Assertion Markup Language) Authentication is widely used, particularly for internal Single Sign-On (SSO) and for using organizational (company or university) credentials to log into cloud services. Users can use their employer (or university) login for access to the service, and the employer gets better control and insight over cloud logins. SAML relies on public key cryptography and the service provider checking the integrity of the (signed) SAML assertion. A [2012 Usenix paper by Samorovsky et al](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf) claimed that 80% of SAML frameworks tested could be broken, allowing impersonation attacks, as a result of flaws in the integrity checking of the SAML signature. A [recent Black Hat presentation](http://www.forbes.com/sites/thomasbrewster/2016/11/03/this-hack-can-break-into-1-billion-android-app-accounts/#1a16269b14a2) showed similar flaws in many Android implementations of the related OAuth protocol. This is a serious concern, since a malicious actor could potentially impersonate any user to a flawed SAML Service Provider. We were unable to locate any working code, including from the authors of the above paper, for testing SAML implementations. So, as both a learning exercise to better understand the guts of SAML and a security tool to enable validation that our partners were using correct SAML implementations (both internally for single sign-on and externally for cloud applications), we set out to build an open-source set of tools for testing SAML service providers. We built this framework in Ruby, to complement the Cucumber testing framework in use for testing applications.

Bruce Wilson started his career as a chemist, doing large scale data analysis and developing high throughput research methods, but was drowning in data. Building tools for his own use led to building them for others, and eventually he migrated completely to being in an IT division. His recent work has focused on Identity, Credential, and Access Management, learning more of the Defense Against the Dark Arts and even a bit of offensive Magicks. JT Liso (co-author) is a third-year Computer Science student at the University of Tennessee. Currently, his interests lie within machine learning and security, hoping to find a way to combine the two to make more secure systems. After his undergraduate degree, he plans on continuing his education through UT‰Ûªs 5 years masters program, focusing his thesis on machine learning.

Back to BSides Nashville 2017 list