SAML is insecure by design by @joonas_fi 'In summary: once | PT SWARM
SAMLis insecure by design by @joonas_fi
"In summary: once you base your security on some computed property, you can now exploit any flaws, differences or ambiguity in this computation. The more complex the computation is, the more dangerous it gets."
Contents: • What is SAML? • Why should I care? • Why is SAML insecure? • Why is signing computed values dangerous? • The SAML vulnerability in practice • Why is SAML this way? • Vulnerability mitigation • How could SAML have been designed better? • More SAML weirdness • Why is SAML used if it sucks? • Action • Ignorance is bliss • Additional reading
Positive Technologies Offensive Team: twitter.com/ptswarm. This is the channel where we share articles/vulnerabilities/scripts/etc, not necessarily authored by us, that we find interesting...
