securityidiots

Hacking SAML Part: 1

Let's Deep Dive into SAML

INDRAYAN SANYAL's photo
INDRAYAN SANYAL

What is SAML

Security Assertion Markup Language is an XML-based framework for authentication and authorization between two entities: a Service Provider and an Identity Provider. (Includes B2B and B2C). It is an open standard for exchanging authentication and authorization data between parties, particularly in a web-based environment. It is widely used in single sign-on (SSO) solutions to allow users to authenticate once and access multiple applications without needing to log in to each one individually.

Participants :

User/Principal:** The one who try to access the services from service provider.

Service Provider:** The entity providing the service – typically in the form of an application.

Identity provider:** The entity providing the identities, including the ability to authenticate a user.

Work flow of SAML :

  1. The user requests to access the service provider from browser.

  2. The Service Provider sends a SAML request to the browser using the Entity ID of the IdP. (The SAML request is embedded in the HTTP code that redirects the user to the IdP.)

  3. Browser relays this request to Identity provider.

  4. The IdP validates the SAMLRequest.

  5. IDP provides login screen.

  6. The user provides their login credentials for verification.

  7. Once the user is authenticated, the IdP validate credentials and generate SAMLResponse.

  8. IDP sends SAMLResponse containing SAML assertion using the ACS URL to the SP along with the details mentioned in the Subject type requested by the SP.

  9. Browser relays this request to Service provider.

  10. After receiving these details, the SP provides access to the user and establishes the session.

Let’s understand SAML Request :

  • ID : Newly generated number for identification. A unique ID that allows the SP and IdP can identify each other.

  • IssueInstant : Timestamp to indicate the time it was generated.

  • AssertionConsumerServiceURL(ACSU) : The Identity Provider will send the SAML response to this URL. This URL will be provided by the service provider.

  • Destination : Identity provider URL.

  • Issuer : The name of the service provider.

  • Name ID Format : The format in which the name ID must be specified. The name ID format you specify must be the same in both the IdP and SP.

Let’s understand SAML Response :

  • ID : Newly generated number for identification. A unique ID that allows the SP and IdP can identify each other.

  • IssueInstant : Timestamp to indicate the time it was generated.

  • Issuer : The name of the identity provider.

  • Destination : Service provider URL.

  • InResponseTo : The ID of the SAML request that this response belongs to.[ID of SP]

  • Recipient : The name of the service provider.

  • Assertion : XML document that the identity provider sends to the service provider that contains the following details:

  • Name ID Format : The format in which the name ID must be specified.

  • Subject : It indicates the value that the Service provider expects. E.g., user name, user ID, etc.

    NotBefore : is a time instant before which the subject cannot be confirmed.

    NotOnOrAfter : is a time instant at which the subject can no longer be confirmed.

  • Condition : Indicates the validity of Assertion.

    NotBefore : Specifies the earliest time instant at which the assertion is valid

    NotOnOrAfter : Specifies the time instant at which the assertion has expired.

Now Let's Dive into SAML Hacking... Part 2... Coming Soon... 🚀

Pentesting SAMLSAMLhacking