OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Flaw identified (and apparently fixed) in Google's SAML implementation

http://www.ai-lab.it/armando/pub/fmse9-armando.pdf

Importantly

"It is immediate to see that the attack originates from one
of the simplifications that Google adopted in its SAML SSO
solution and namely from simplification (G1) that deprives
the authentication assertion of both the ID and SP fields (cf.
Section 2). In fact, by performing a similar analysis on the
standard SP-Initiated SSO with Redirect/POST Bindings,
no attacks have been reported by SATMC despite the several
protocol scenarios considered."


paul

-- 
Paul Madsen            e:paulmadsen @ ntt-at.com
NTT                    p:613-482-0432
                       m:613-282-8647
                       aim:PaulMdsn5
                       web:connectid.blogspot.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]