←back to thread

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials

(github.blog)
312 points campuscodi | 1 comments | 15 Mar 25 19:06 UTC | HN request time: 0.269s | source
Show context
tptacek ◴[15 Mar 25 21:11 UTC] No.43375191[source]
SAML (more broadly XML-DSIG) is literally the worst security protocol in common use. I think you should generally be taking whatever hits you need to take to transition from it to OAuth. Certainly, I would refuse to bring a new product to market that relied on it. It's incredibly dangerous. Unless there's some breakthrough in practical formal verification, I can't imagine that this will be the last or the worst DSIG vulnerability.
replies(4): >>43375239 #>>43375862 #>>43376397 #>>43376552 #
akdor1154 ◴[16 Mar 25 01:43 UTC] No.43376397[source]
My (possibly misunderstood to the point of misphrasing) understanding, is that SAML still has the point-of-difference that your sso provider can cancel a session. Is that right?
replies(3): >>43376637 #>>43376735 #>>43376899 #
1. Nextgrid ◴[16 Mar 25 02:51 UTC] No.43376637[source]
OIDC has out-of-band backchannel logout.