[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] *SAML concerns* ?
Folks -
We are interested in exploring a SAML pilot. Our Corporate Security Department has some reasonable concerns. My take is that they are asking for help to understand the implications and to generate a policy to mitigate these and other risks.
I don't think there is a question about
SAML for SSO. Mitigating attacks on SAML are the concern.
The concerns seem to focus on Replay,
Man-in-the-Middle, and HTTP referrer. The solution appears to be a 2-factor
approach using SSL and unilateral authentication.
Here is a recent paper that highlights some of these concerns. Also, if you could break a SAML implementation (other than social engineering), what other attacks would you try? In other words, what additional concerns should we anticipate?
Any opinions appreciated.
Thanx,
Hank Simon
-----Original Message-----
I'm starting to understand all of this better. However, with all "new" technologies there are new concerns. I've started doing some reading on SOAP/SAML and I'm worried that if not implemented correctly there could be large scale security concerns. The attached document is a little over my head, by I'll read it a couple more times. Please review it and pay close attention to the risks associated with section 7 "Attacks".
<<SAML.pdf>>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]