OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] *SAML concerns* ?

Title: *SAML concerns* ?
Within Oasis SSTC we are working on SAML 2.0. As part of this version of SAML we plan to have some Kerberos support included. Since the Kerberos protocol helps protect against many network security concerns, such as message replay it will be a useful and complementary technology when used for SSO with SAML.
Thanks, Tim.

From: Simon, Hank [mailto:hank.simon@lmco.com]
Sent: 09 March 2004 12:56
To: saml-dev@lists.oasis-open.org
Cc: wss@lists.oasis-open.org
Subject: [wss] *SAML concerns* ?

Folks -

We are interested in exploring a SAML pilot. Our Corporate Security Department has some reasonable concerns. My take is that they are asking for help to understand the implications and to generate a policy to mitigate these and other risks.

I don't think there is a question about SAML for SSO. Mitigating attacks on SAML are the concern.
The concerns seem to focus on Replay, Man-in-the-Middle, and HTTP referrer. The solution appears to be a 2-factor approach using SSL and unilateral authentication.

Here is a recent paper that highlights some of these concerns. Also, if you could break a SAML implementation (other than social engineering), what other attacks would you try? In other words, what additional concerns should we anticipate?

Any opinions appreciated.

Hank Simon

 -----Original Message-----

I'm starting to understand all of this better. However, with all "new" technologies there are new concerns.  I've started doing some reading on SOAP/SAML and I'm worried that if not implemented correctly there could be large scale security concerns.  The attached document is a little over my head, by I'll read it a couple more times.  Please review it and pay close attention to the risks associated with section 7 "Attacks".


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]