Hey all 👋
How’s everyone doing?! Hope you are fine and keeping yourself productive
This article will only focus on SAML basics and few vulnerabilities associated with it.
In layman’s term, “SAML is that one friend(Identity Provider) of yours in the town you
live in, who knows every vendor(Service provider) of that town and as he has
authorized you(you being his friend) every other vendor provide you their services
without any further enquiries.”
A proper definition would be, “SAMLSecurity Assertion Markup Language) is an XML
based SSOSingle Sign On)Authentication mechanism which transfer user identity data
between Identity Providers(IdP) and Service Providers(SP) to authenticate users to
access their requested resources without asking for credentials everytime”.
It comes with advantages such as:
No need to type in credentials
No need to remember and renew passwords
No weak passwords
The implementation of SAML seems logical as most organization would already know
the identity of the users as they are logged into their Active Directory domain or
Intranet. So, it would also make sense to log the user into other 3rd party applications
like web-app application (gmail, Outlook, Micrsoft Office etc).
How does the SAML Authentication works?
Before we jump into the technical explanation, let us first go through few terminologies.
Identity Providers: An identity provider IdP is a service that stores and verifies
user identity. IdPs are typically cloud-hosted services, and they often work with
single sign-on SSO providers to authenticate users.
Service Providers: Trusts the identity provider and authorizes the given user to
access the requested resource.
SAML Assertions: An XML document that is sent to the service provider by the
Identity provider that contains user authorization. This is sent over an HTTP
There are 3 types of SAML Assertions:Let’s have a SAML talks! 2
Authentication assertion proves the identity of the user and simultaneously yields
user’s logged in time & the authentication method used.
Attribution assertion that provides the service provider with SAML attributes.
SAML attributes are the data about the logged in user.
Authorization assertion contains proof that a certain user has been authorized to
access a specified resource.
SAML Authentication assertion Example
SAML attribute assertion ExampleLet’s have a SAML talks! 3
Microsoft Active Directory or Azure are common identity providers. Salesforce and
other CRM arrangements are generally specialist co-ops, in that they rely upon a
identity providers for client validation.
So let’s try to make sense of all this.
Consider you are logged into a system that acts as a identity provider Microsoft AD.
Let us assume that the user also wants to access any 3rd party application like
The SAML Authentication flow for above would look like:
You access any Microsoft AD over the internet.
The application Microsoft AD identifies you, the user, and redirects you to the
identity provider(IdP) which prompts you for your valid credentials(Username,
Password & maybe your 2fa authentication). This is what an authentication request
would look like.
Now you establish a session with the Identity Provider by logging into it.
The Identity Provider crafts and authentication response in form of an XML
document, containing the user data like email, username etc, now the Identity
provider signs this document with an X.509 certificate.
Now when logged into Microsoft ADIdentity Provider), you try to access a 3rd
party application like Salesforce(Service Provider). You request resources from
Salesforce and it redirects you to Identity Provider(i.e. Microsoft AD with an SAML
The SAML request is passed on to the Identity Provider( Microsoft AD via
browser(user-agent), which now sends back an SAML response(XML Document)
which was crafted before in step 4 and digitally signed with an X.509 Certificate to
SAML Authorization assertion ExampleLet’s have a SAML talks! 4
The browser(user-agent) now passes the same SAML response back to the Service
Service Provider(Salesforce) after receiving the SAML response from the Identity
Provider(Microsoft AD via the browser(user-agent) now authenticates the user
without asking for credentials.
Mind you that during all this process the Service Provider has the
knowledge of existence of the Identity Provider, thus the reason
why a Service Provider would trust the Identity Provider, to
authenticate any user.
Summing it all up, I’d say that SAML authentication gives you access to one service
which eventually grants to you access to all other associated services.
Any SAML configuration is done on two associated entities of SAML i.e. IdP & SP. The
configuration of IdP is important as it should be aware of the fact where the users
should be redirected when they try to access any SP. And the SP needs to be
configured because it needs to know that the SAML assertion sent by IdP can be
SAML Flow Visualization.Let’s have a SAML talks! 5
SAML assertion format is provided by SP and are set by IdP. Below are few key
elements of any SAML assertion that are needed to be set by any admin.
It’s a unique name for any SP. The format/syntax may vary. See example
Assertion Consumer Service(ACS):
The location of the URL where the SAML
assertion will be sent. See example below
A safety mechanism in form of an REGEX that ensures that the SAML
assertion goes to the specified ACS.
The SAML assertion attribute contains info about the user.
Here the information we deal with is provided by the IdP and set at the SP.
A certificate provided by the IdP which is passed through the
SAML assertion and is used to verify the Public key.
Contains information about the IdP in order to validate SAML assertion
received from the IdP provided URL.
Read more about SAML Configuration hereLet’s have a SAML talks! 6
Vulnerabilities and attacks
Now that we are done with the basic concept of SAML, we can now move onto the
attacks and vulnerabilities associated with SAML. I obviously can’t explain them all here
so I’ll be listing few out here with resources. In my next article I might explain them till
then read the resources here.
1. Identity Theft attack
2. Golden SAML
3. SAML Replay Attack
4. SAML Command Injection