SAML Artifact Information Flow Revisited
نویسندگان
چکیده
The standardized OASIS Security Assertion Markup Language (SAML) has become one of the most deployed frameworks in federated identity management even though it focuses only on single sign-on. Answering industry’s pursuit of the reduction of user-management costs and enabling cost-efficient deployment because of its browser-based profiles, SAML is believed to become widely used soon. With the revision to Version 2.0, especially SAML’s browser/artifact profile has gained new security measures defeating old vulnerabilities. We analyze this profile and focus on the problem of artifact information flow. We devise a concrete exploit to demonstrate the impact of this problem. We address this problem by a new browser/artifact profile called Janus. The innovation is to split the artifact into two independent shares that have different information flow in a standard web browser. This new method defeats artifact information flow efficiently without relying on assumptions on the artifact lifetime.
منابع مشابه
SAML Privacy-Enhancing Profile
We present the SAML Privacy-Enhancing (PE) profile which empowers users to take control of the authentication process and their personal data. Users have the full control of the application flow and get detailed information about the involved participants and the revealed attributes. This enables users to give informed consent for the authentication. The new profile builds on well-established s...
متن کاملSecurity Analysis of the SAML Single Sign-on Browser/Artifact Profile
Many influential industrial players are currently pursuing the development of new protocols for federated identity management. The Security Assertion Markup Language (SAML) is an important standardized example of this new protocol class and will be widely used in business-to-business scenarios to reduce user-management costs. SAML utilizes a constraintbased specification that is a popular desig...
متن کاملOn Breaking SAML: Be Whoever You Want to Be
The Security Assertion Markup Language (SAML) is a widely adopted language for making security statements about subjects. It is a critical component for the development of federated identity deployments and Single SignOn scenarios. In order to protect integrity and authenticity of the exchanged SAML assertions, the XML Signature standard is applied. However, the signature verification algorithm...
متن کاملThe “Man with Serpents” revisited. On a Figurated Pin from the Bronze Age Site of Shahdad (Kerman, Iran)
We discuss a figured pin from Shahdad, previously well known but published with a partial and unsatisfactory drawing. More detailed observations and a new, more realistic recording of this important artifact reconsider its stylistic and iconographic links with the imagery of the Halil Rud civilization and the eastern Iranian Plateau in general, and, at its opposite cultural poles, with Mesopot...
متن کاملOn Cryptographically Strong Bindings of SAML Assertions to Transport Layer Security
In recent research, two approaches to protect SAML based Federated Identity Management (FIM) against man-in-the-middle attacks have been proposed. One approach is to bind the SAML assertion and the SAML artifact to the public key contained in a TLS client certificate. Another approach is to strengthen the Same Origin Policy of the browser by taking into account the security guarantees TLS gives...
متن کامل