Sign in as anyone: Bypassing SAML SSO authentication with parser differentials

(github.blog)

312 points campuscodi | 2 comments | 15 Mar 25 19:06 UTC | HN request time: 0.425s | source

Show context

Diggsey ◴[15 Mar 25 20:39 UTC] No.43375000[source]▶

I recently had to implement SAML and this headline does not surprise me in the slightest.

The SAML spec itself is fairly reasonable, but is built upon XML signatures (and in turn, XML canonicalization) which are truly insane standards, if they can even be called such.

Only a committee could produce such a twisted and depraved specification, no single mind would be capable of holding and combining such contradictory ideas.

It would be so simple to just transmit signatures out-of-band and SAML would be a pleasure to implement.

replies(3): >>43375038 #>>43375229 #>>43375725 #

TZubiri ◴[15 Mar 25 23:02 UTC] No.43375725[source]▶

>>43375000 #

Is SSO salvageable at all? It seems like the idea of just logging into different accounts is fine.

Also just the idea of connecting your accounts together such that you can get megacompromised is foundationally riskier

replies(4): >>43376069 #>>43376167 #>>43376289 #>>43378267 #

1. thayne ◴[16 Mar 25 01:18 UTC] No.43376289[source]▶

>>43375725 #

OIDC is better than SAML, but that isn't a high bar. And OIDC has its own problems.

replies(1): >>43376359 #

2. tptacek ◴[16 Mar 25 01:33 UTC] No.43376359[source]▶

>>43376289 (TP) #

OIDC's problems are nothing like those of SAML.

↑