Attacking Authentication Mechanisms
Introduction to SAML
Secure Assertion Markup Language (SAML) is an XML-based standard that enables authentication and authorization between parties and can be used to implement SSO. In SAML, data is exchanged in digitally signed XML documents to ensure data integrity.
Before diving into attacks and misconfigurations that can lead to security flaws in SAML, let us first discuss how it works.
SAML Components
SAML comprises the following components:
-
Identity Provider (IdP): The entity that authenticates users. The IdP provides identity information to other components and issues SAML assertions -
Service Provider (SP): The entity that provides a service or a resource to the user. It relies on SAML assertions provided by the IdP -
SAML Assertions: XML-based data that contains information about a user's authentication and authorization status
SAML Flow
Just like OAuth, SAML follows a pre-defined flow. On an abstract level, the SAML flow looks like this:
- The user accesses a resource provided by the SP
- Since the user is not authenticated, the SP initiates authentication by redirecting the user to the IdP with a SAML request
- The user authenticates with the IdP
- The IdP generates a SAML assertion containing the user's information, digitally signs the SAML assertion, and sends it in the HTTP response to the browser. The browser sends the SAML assertion to the SP
- The SP verifies the SAML assertion
- The user requests the resource
- The SP provides the resource
SAML Flow Example
As with OAuth, let us walk through a concrete example to ensure we fully understand the SAML flow. Let us assume that the user John wants to access the SP academy.htb with his sso.htb credentials. The SAML flow then looks like this:
Steps 1 & 2: Authentication Request
John accesses academy.htb. Since this is an unauthenticated request, academy.htb redirects John to sso.htb's IdP with a SAML request that looks similar to this:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_809707f0030a5d00620c9d9df97f627afe9dcc24" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://sso.htb/idp/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://academy.htb/index.php">
<saml:Issuer>http://academy.htb/index.php</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
The SAML request contains the following parameters:
-
Destination: The destination where the browser should send the SAML request -
AssertionCustomerServiceURL: The URL the IdP should send the response to after authentication -
saml:Issuer: The SAML request's issuer
Step 3: Authentication
John authenticates with sso.htb using his username and password. The IdP verifies the credentials and authenticates him.
Step 4: Assertion Generation
After successful authentication, the IdP generates a SAML assertion for John. This Assertion is then sent to John in an HTTP response. John's browser forwards the SAML assertion to the SP academy.htb. The SAML assertion looks similar to this:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_1234567890" IssueInstant="2024-03-18T12:00:00Z" Version="2.0">
<saml:Issuer>http://sso.htb/idp/</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
</saml:Subject>
<saml:AttributeStatement>
<saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>john</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>[email protected]</saml:AttributeValue>
<saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
The SAML assertion contains the following parameters:
-
saml:Issuer: The SAML assertion's issuer -
saml:Subject: The SAML assertion's subject -
saml:NameID: A unique identifier for the SAML assertion's subject -
saml:AttributeStatement: List of attributes about the SAML subject
Step 5: Assertion Verification
The SP verifies the SAML assertion.
Steps 6 & 7: Resource Access
After successful verification of the SAML assertion, John can access resources at academy.htb without needing additional authentication.
Table of Contents
Introduction to Authentication Mechanisms
Introduction to Authentication MechanismsJWTs
Introduction to JWTs Attacking Signature Verification Attacking the Signing Secret Algorithm Confusion Further JWT Attacks JWT Tools of the Trade & Vulnerability PreventionOAuth
Introduction to OAuth OAuth Lab Setup Stealing Access Tokens Improper CSRF Protection Additional OAuth Vulnerabilities OAuth Vulnerability PreventionSAML
Introduction to SAML SAML Lab Setup Signature Exclusion Attack Signature Wrapping Attack Additional SAML Vulnerabilities SAML Tools of the Trade & Vulnerability PreventionSkills Assessment
Skills AssessmentMy Workstation
OFFLINE
/ 1 spawns left
