OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Flaw identified (and apparently fixed) in Google's SAML implementation



"It is immediate to see that the attack originates from one
of the simplifications that Google adopted in its SAML SSO
solution and namely from simplification (G1) that deprives
the authentication assertion of both the ID and SP fields (cf.
Section 2). In fact, by performing a similar analysis on the
standard SP-Initiated SSO with Redirect/POST Bindings,
no attacks have been reported by SATMC despite the several
protocol scenarios considered."


Paul Madsen            e:paulmadsen @ ntt-at.com
NTT                    p:613-482-0432

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]