The solution in the standard is to attach an XML Signature to each message, protecting that message against tampering.
The XML Signature standard is an immensely complicated beast, designed by a working group involving all the big names, and intended to be a one-size-fits-all solution to building tamper-resistant XML documents.
If these messages lack any protections, an attacker could simply modify the response to, for example, claim to be somebody else.
We’ve recently noticed a trend with a lot of New Zealand sites wanting to implement Single Sign-On (SSO) to combat the proliferation of passwords, including many government services.
The most prevalent standard for doing this, providing interoperability between many vendors’ frameworks and multiple languages, is SAML 2.0.
It is important to understand the difference between a token like this.
The configuration for the validation step is shown below: To test this circuit, I am using the SOAPbox testing tool.
When signing in to a site with SAML 2.0, there are three parties involved - the Service Provider (‘SP’, the web application we want to access), the Principal (the user logging in) and the Identity Provider (‘Id P’, the authority).
We want to accomplish the aim of getting the Identity Provider to tell the Service Provider, in a trustworthy way, who the Principal is.
If, on the other hand, you see a SAML Artifact like this: then there’s probably not much you can do with it as an attacker.
These tokens are resolved into the original messages and then retrieved via a back-channel, so unless you have access to the target’s private network (and likely an SSL/TLS implementation bug while you’re at it), these are pretty useless to an attacker.
Add Reference(new Reference("#_d4559638-3abf-4433-9fad-b10f8a950351"));// _d4559638-3abf-4433-9fad-b10f8a950351 is used as reference to Digest Method & Digest Value.signer. Outer Xml; Signed Xml verifier = new Custom Id Signed Xml(doc);verifier.
Map Path("SAML.xml")); Signed Xml signer = new Custom Id Signed Xml(doc);signer.
We see on the Response screen of SOAPbox that the assertion we've sent is indeed valid.