Most active commenters

    ←back to thread

    Sign in as anyone: Bypassing SAML SSO authentication with parser differentials

    (github.blog)
    312 points campuscodi | 11 comments | 15 Mar 25 19:06 UTC | HN request time: 0.442s | source | bottom
    1. tptacek ◴[15 Mar 25 21:11 UTC] No.43375191[source]
    SAML (more broadly XML-DSIG) is literally the worst security protocol in common use. I think you should generally be taking whatever hits you need to take to transition from it to OAuth. Certainly, I would refuse to bring a new product to market that relied on it. It's incredibly dangerous. Unless there's some breakthrough in practical formal verification, I can't imagine that this will be the last or the worst DSIG vulnerability.
    replies(4): >>43375239 #>>43375862 #>>43376397 #>>43376552 #
    2. shellcromancer ◴[15 Mar 25 21:22 UTC] No.43375239[source]
    Security Cryptography Whatever’s take on this week SAML non-sense will be fun.
    replies(1): >>43375276 #
    3. tptacek ◴[15 Mar 25 21:28 UTC] No.43375276[source]
    Honestly, hadn't thought of it, but of course we should do that. Thanks!
    replies(1): >>43376014 #
    4. nimish ◴[15 Mar 25 23:30 UTC] No.43375862[source]
    One day I will write an essay on all of the incredibly stupid things XML DSig does, and that's not even touching the cryptography. It's peak enterprise software brain.

    Someone should go deep on the mailing list and standards body horrors of WS-* and OASIS/XACML and all that crap

    replies(1): >>43380286 #
    5. janderson215 ◴[16 Mar 25 00:01 UTC] No.43376014{3}[source]
    I’d sub to infosec rant podcasts. $5/mo Patreon sub for a non-vtuber version.
    6. akdor1154 ◴[16 Mar 25 01:43 UTC] No.43376397[source]
    My (possibly misunderstood to the point of misphrasing) understanding, is that SAML still has the point-of-difference that your sso provider can cancel a session. Is that right?
    replies(3): >>43376637 #>>43376735 #>>43376899 #
    7. Nextgrid ◴[16 Mar 25 02:51 UTC] No.43376637[source]
    OIDC has out-of-band backchannel logout.
    8. akerl_ ◴[16 Mar 25 03:18 UTC] No.43376735[source]
    Can it? In many SAML setups, there's not direct network interaction between the IDP and Service, other than at most sharing metadata via URL.
    9. recursive ◴[16 Mar 25 04:14 UTC] No.43376899[source]
    There's an optional feature in the spec I think. But in my very limited experience, it is never implemented or working correctly.
    replies(1): >>43379009 #
    10. p_ing ◴[16 Mar 25 13:39 UTC] No.43379009{3}[source]
    Microsoft implements this in Azure/M365.
    11. pushkar2911 ◴[16 Mar 25 16:38 UTC] No.43380286[source]
    Please write about this. I would love to read it.