Security Assertion Markup Language (SAML)

Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between parties, specifically between an Identity Provider (IdP) and a Service Provider (SP). It's widely used for enterprise single sign-on (SSO).

Key Components

• Identity Provider (IdP): Authenticates users and issues assertions
• Service Provider (SP): Relies on IdP for authentication
• Assertion: XML document containing authentication/authorization statements
• Binding: How SAML messages are transported (HTTP POST, Redirect)

SP-Initiated Flow

1. User accesses SP application
2. SP generates SAMLRequest, redirects to IdP
3. User authenticates at IdP
4. IdP generates SAMLResponse with assertion
5. IdP POSTs SAMLResponse to SP's ACS URL
6. SP validates assertion and creates session

SAMLResponse Structure

<samlp:Response>
  <saml:Issuer>https://idp.example.com</saml:Issuer>
  <ds:Signature>...</ds:Signature>
  <saml:Assertion>
    <saml:Subject>
      <saml:NameID>user@example.com</saml:NameID>
    </saml:Subject>
    <saml:Conditions NotBefore="..." NotOnOrAfter="..."/>
    <saml:AuthnStatement/>
  </saml:Assertion>
</samlp:Response>

Common Vulnerabilities

• XML Signature Wrapping attacks
• Missing signature validation
• Comment injection in NameID
• XXE in SAML parsing

PentesterLab Exercises

• SAML Exercises

See Also

• SAML Assertion
• XML Signature Wrapping
• SAML Identity Provider (IdP)