Saml 2 0 response validating
We do this by having the Service Provider redirect our user to the Identity Provider with a SAML request.Once the Identity Provider is satisfied as to the user’s identity, they send them back to the Service Provider with a SAML response.The software is essentially presuming that we’ve already checked that a message coming from an insecure channel is signed, when this isn’t the case.
I can, in theory, write a signature anywhere within a document that refers to the “third to last element”, or equally vague expressions.
The solution in the standard is to attach an XML Signature to each message, protecting that message against tampering.
The XML Signature standard is an immensely complicated beast, designed by a working group involving all the big names, and intended to be a one-size-fits-all solution to building tamper-resistant XML documents.
However, messages that pass through secure channels, such as an SSL/TLS back channel, do not have to be.
As a result of this, we’ve seen SAML consumers that validate any signature present, however silently skip validation if the signature is removed.
Whenever the Service Provider is supposed to check something, there’s an opportunity for them to fail to do so or do so incorrectly, giving us an opportunity to bypass the signature.