←back to thread

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials

(github.blog)
312 points campuscodi | 5 comments | 15 Mar 25 19:06 UTC | HN request time: 0.658s | source
Show context
tptacek ◴[15 Mar 25 21:11 UTC] No.43375191[source]
SAML (more broadly XML-DSIG) is literally the worst security protocol in common use. I think you should generally be taking whatever hits you need to take to transition from it to OAuth. Certainly, I would refuse to bring a new product to market that relied on it. It's incredibly dangerous. Unless there's some breakthrough in practical formal verification, I can't imagine that this will be the last or the worst DSIG vulnerability.
replies(4): >>43375239 #>>43375862 #>>43376397 #>>43376552 #
1. akdor1154 ◴[16 Mar 25 01:43 UTC] No.43376397[source]
My (possibly misunderstood to the point of misphrasing) understanding, is that SAML still has the point-of-difference that your sso provider can cancel a session. Is that right?
replies(3): >>43376637 #>>43376735 #>>43376899 #
2. Nextgrid ◴[16 Mar 25 02:51 UTC] No.43376637[source]
OIDC has out-of-band backchannel logout.
3. akerl_ ◴[16 Mar 25 03:18 UTC] No.43376735[source]
Can it? In many SAML setups, there's not direct network interaction between the IDP and Service, other than at most sharing metadata via URL.
4. recursive ◴[16 Mar 25 04:14 UTC] No.43376899[source]
There's an optional feature in the spec I think. But in my very limited experience, it is never implemented or working correctly.
replies(1): >>43379009 #
5. p_ing ◴[16 Mar 25 13:39 UTC] No.43379009[source]
Microsoft implements this in Azure/M365.