Hey all 👋
How’s everyone doing?! Hope you are fine and keeping yourself productive
This article will only focus on SAML basics and few vulnerabilities associated with it.

The Introduction

In layman’s term, “SAML is that one friend(Identity Provider) of yours in the town you
live in, who knows every vendor(Service provider) of that town and as he has
authorized you(you being his friend) every other vendor provide you their services
without any further enquiries.”
A proper definition would be, “SAMLSecurity Assertion Markup Language) is an XML
based SSOSingle Sign On)Authentication mechanism which transfer user identity data
between Identity Providers(IdP) and Service Providers(SP) to authenticate users to
access their requested resources without asking for credentials everytime”.
It comes with advantages such as:
No need to type in credentials
No need to remember and renew passwords
No weak passwords
The implementation of SAML seems logical as most organization would already know
the identity of the users as they are logged into their Active Directory domain or
Intranet. So, it would also make sense to log the user into other 3rd party applications
like web-app application (gmail, Outlook, Micrsoft Office etc).

How does the SAML Authentication works?

Before we jump into the technical explanation, let us first go through few terminologies.
Identity Providers: An identity provider IdP is a service that stores and verifies
user identity. IdPs are typically cloud-hosted services, and they often work with
single sign-on SSO providers to authenticate users.
Service Providers: Trusts the identity provider and authorizes the given user to
access the requested resource.
SAML Assertions: An XML document that is sent to the service provider by the
Identity provider that contains user authorization. This is sent over an HTTP
browser redirect.
There are 3 types of SAML Assertions:Let’s have a SAML talks! 2
Authentication assertion proves the identity of the user and simultaneously yields
user’s logged in time & the authentication method used.
Attribution assertion that provides the service provider with SAML attributes.
SAML attributes are the data about the logged in user.
Authorization assertion contains proof that a certain user has been authorized to
access a specified resource.
SAML Authentication assertion Example
SAML attribute assertion ExampleLet’s have a SAML talks! 3
Microsoft Active Directory or Azure are common identity providers. Salesforce and
other CRM arrangements are generally specialist co-ops, in that they rely upon a
identity providers for client validation.
So let’s try to make sense of all this.
Consider you are logged into a system that acts as a identity provider Microsoft AD.
Let us assume that the user also wants to access any 3rd party application like
Salesforce.
The SAML Authentication flow for above would look like:
You access any Microsoft AD over the internet.
The application Microsoft AD identifies you, the user, and redirects you to the
identity provider(IdP) which prompts you for your valid credentials(Username,
Password & maybe your 2fa authentication). This is what an authentication request
would look like.
Now you establish a session with the Identity Provider by logging into it.
The Identity Provider crafts and authentication response in form of an XML
document, containing the user data like email, username etc, now the Identity
provider signs this document with an X.509 certificate.
Now when logged into Microsoft ADIdentity Provider), you try to access a 3rd
party application like Salesforce(Service Provider). You request resources from
Salesforce and it redirects you to Identity Provider(i.e. Microsoft AD with an SAML
request.
The SAML request is passed on to the Identity Provider( Microsoft AD via
browser(user-agent), which now sends back an SAML response(XML Document)
which was crafted before in step 4 and digitally signed with an X.509 Certificate to
the browser(user-agent).
SAML Authorization assertion ExampleLet’s have a SAML talks! 4
The browser(user-agent) now passes the same SAML response back to the Service
Provider Salesforce).
Service Provider(Salesforce) after receiving the SAML response from the Identity
Provider(Microsoft AD via the browser(user-agent) now authenticates the user
without asking for credentials.
Mind you that during all this process the Service Provider has the
knowledge of existence of the Identity Provider, thus the reason
why a Service Provider would trust the Identity Provider, to
authenticate any user.
Summing it all up, I’d say that SAML authentication gives you access to one service
which eventually grants to you access to all other associated services.

SAML Configuration

Any SAML configuration is done on two associated entities of SAML i.e. IdP & SP. The
configuration of IdP is important as it should be aware of the fact where the users
should be redirected when they try to access any SP. And the SP needs to be
configured because it needs to know that the SAML assertion sent by IdP can be
trusted.
SAML Flow Visualization.Let’s have a SAML talks! 5
Configuring IdP
SAML assertion format is provided by SP and are set by IdP. Below are few key
elements of any SAML assertion that are needed to be set by any admin.

EntityID

It’s a unique name for any SP. The format/syntax may vary. See example

below.

Assertion Consumer Service(ACS):

The location of the URL where the SAML

assertion will be sent. See example below
https://example.edu/SAML/consume

ACS validator:

A safety mechanism in form of an REGEX that ensures that the SAML

assertion goes to the specified ACS.
^https:\/\/example.edu\/saml\/consume\/$

Attributes:

The SAML assertion attribute contains info about the user.

user@example.edu
SP Configuration
Here the information we deal with is provided by the IdP and set at the SP.

X.509 Certificate:

A certificate provided by the IdP which is passed through the

SAML assertion and is used to verify the Public key.

Issuer URL:

Contains information about the IdP in order to validate SAML assertion

received from the IdP provided URL.
https://example.edu/saml/id/metadata.php
Read more about SAML Configuration hereLet’s have a SAML talks! 6

Vulnerabilities and attacks

Now that we are done with the basic concept of SAML, we can now move onto the
attacks and vulnerabilities associated with SAML. I obviously can’t explain them all here
so I’ll be listing few out here with resources. In my next article I might explain them till
then read the resources here.

1. Identity Theft attack

2. Golden SAML

3. SAML Replay Attack

4. SAML Command Injection

References:
https://docs.oracle.com/cd/E27515_01/common/tutorials/authz_saml_assertion.html
https://duo.com/blog/the-beer-drinkers-guide-to-saml
https://developers.onelogin.com/saml
https://www.varonis.com/blog/what-is-saml

Author

Mr_fr3qu3n533