OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: *SAML concerns* ?

Title: *SAML concerns* ?

Folks -

We are interested in exploring a SAML pilot. Our Corporate Security Department has some reasonable concerns. My take is that they are asking for help to understand the implications and to generate a policy to mitigate these and other risks.

I don't think there is a question about SAML for SSO. Mitigating attacks on SAML are the concern.
The concerns seem to focus on Replay, Man-in-the-Middle, and HTTP referrer. The solution appears to be a 2-factor approach using SSL and unilateral authentication.

Here is a recent paper that highlights some of these concerns. Also, if you could break a SAML implementation (other than social engineering), what other attacks would you try? In other words, what additional concerns should we anticipate?

Any opinions appreciated.

Hank Simon

 -----Original Message-----

I'm starting to understand all of this better. However, with all "new" technologies there are new concerns.  I've started doing some reading on SOAP/SAML and I'm worried that if not implemented correctly there could be large scale security concerns.  The attached document is a little over my head, by I'll read it a couple more times.  Please review it and pay close attention to the risks associated with section 7 "Attacks".



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]