RE: [saml-dev] Re: SAML Response Status Codes for User exceeding max permitted attempts

[<robert.philpott@rsa.com>]

From: Siddhartha Purkayastha [mailto:kpsiddharth@gmail.com]
Sent: Thursday, January 22, 2009 3:59 AM
To: Philpott, Robert
Cc: saml-dev@lists.oasis-open.org
Subject: Re: [saml-dev] Re: SAML Response Status Codes for User exceeding max permitted attempts

 

The specs say -

urn:oasis:names:tc:SAML:2.0:status:Responder
The request could not be performed due to an error on the part of the SAML responder or SAML
authority.

I am not sure this is an error on the part of the provider. The responder behaved correctly to realize permitting further attempts may not be safe.

[RSP] Responder is the correct top-level code.   Technically, it is the authentication authority (not the SAML responder) that behaved correctly by not letting the user log in. 

 

The SAML Responder indicates to the SAML Requester that it cannot satisfy the requester’s AuthnRequest (success would mean returning an assertion).  The Responder indicates this with a top-level urn:…:Responder status.  The Responder indicates that the specific failure was urn:…:AuthnFailed in the second-level status.

Can sending a AuthFailed status code and some internal (agreed) error code in the status message or status detail be a good alternative?

[RSP] sending <StatusMessage> and/or <StatusDetail> using custom error codes, IMO, is still not desirable but is certainly way better than sending plain text indicating the reason.  IMO, it is still not desirable since attackers can still possibly intuit conditions from those codes.  For example, if I make several attempts to login using various passwords and I keep getting back a custom code of 73492 and on the next try I get back the error 89217, I can deduce that I was probably using a good user id but I just locked the account due to bad password attempts.  Without this detail, I have no idea whether I’m even using a valid user id.

So, again, providing too much detail is a security risk.

Siddhartha

2009/1/21 <robert.philpott@rsa.com>

The proper way to handle this (IMO) is to set a top-level status code of

urn:oasis:names:tc:SAML:2.0:status:Responder

 

And a second-level status code of

urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

 

If additional details need to be provided, they should be placed into the optional <StatusMessage> or <StatusDetail> elements.

 

Note that it is normally a significant security risk to provide this much detail about an authentication request and most IdP implementations shouldn't/won't send it.  This falls in the category of leaking too much information to a potential attacker.

 

Rob Philpott

RSA, the Security Division of EMC
Senior Technologist | e-Mail: robert.philpott@rsa.com | Office: (781) 515-7115 | Mobile: (617) 510-0893

 

From: Siddhartha Purkayastha [mailto:kpsiddharth@gmail.com]
Sent: Wednesday, January 21, 2009 7:31 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] Re: SAML Response Status Codes for User exceeding max permitted attempts

 

I went through the 2.0 documentation - and apparently, there isnt such a status. So my question should probably have been what would be the best way to inform the requester for such a status ?

2009/1/21 Siddhartha Purkayastha <kpsiddharth@gmail.com>

Hello All -

Can someone tell me if there is a status code (<StatusCode>) that may be used in a SAML response to inform the requester of the principal (user) exceeding max permitted number of attempts, and hence a resulting account lockout? Is there a way to distinguish this from a plain failed auth attempt?

Thanks for any help.

Thanks,
Siddhartha