Reputation: 53
Can SAML Assertions Be Modified In Transit?
Is there anything to stop a user modifying a SAML assertion being sent to a service provider?
For example, if a SAML response identifies a user to the service provider by email address, is there anything in place within the assertion to stop someone modifying the it using something like Fiddler, and replacing their email address with someone in the same company who has a higher level of access in the service they are trying to access?
Upvotes: 1
Views: 1440
Answers (2)
Reputation: 81
Yes it can be modified, but even a slight change in the response(like adding a space) would fail the signature validation process at the service provider end (provided that SP is validating it as it should be done)
Upvotes: 0
Reputation: 97150
The assertions in your SAML response SHOULD be signed using a private/public key pair and xmldsig. If they are correctly signed, changing the contents of an assertion will invalidate the signature, and thus the assertion itself.
Now, if
- the service provider doesn't require a signature,
- or doesn't bother checking the validity of the signature,
- or the private key is compromised
then pretty much anything is possible.
Upvotes: 5
Related Questions
- Can SAML do Authorization?
- Is SAML an Authentication mechansim?
- SAML 2.0: How to configure Assertion Consumer Service URL
- Can SustainSys.Saml2 sign individual assertions when generating SamlResponses?
- SAML2 SSO Assertion Consumer
- How does SAML solve SSO?
- Sending a SAML assertion from IDP to SP
- Required signature on a SAML assertion
- Generate SAML 1.1 (and possibly 2.0) assertions
- SAML (Security Assertion Markup Language) - Can this be implemented via network infrastructure