Collaborate Disseminate
We are trying to set up(I am not part of the setting up process) an SSO based login for an ITSM application. Our organisation has some users working for us although they use their own organisation email address to log in. We use OKTA as ou… Continue reading How does the SAML based SSO differ for Internal (employees) and External users (external resources)?
I have an app where I may choose to configure SAML2 login in the app with:
Public cert of IdP
IdP SAML2 login URL
IdP entity ID
I may also choose to, instead, provide an HTTPS metadata URL from which all of the above information is fetch… Continue reading Security aspects in SAML2 using configuration with metadata URI
I have a SAML offering for my clients to access my cloud based application. Should I have a portal for them to upload their certificates or should I go the easy route and just have them e-mail them to me? What would be the best practice fo… Continue reading Is it inappropriate at all for someone in my client organization to email their PEM file to me?
My SaaS application offers enterprise customers the option to use SAML to authenticate their user population against their own Identity Provider. This normally works fine, however I am looking for advice on an edge case related to shared … Continue reading Authenticate via SAML without establishing SSO session
I’m learning SAML and came to a question.
Let’s say you have an IDP and an SP. Following the SP-initiated flow, a user accesses a web page provided by the SP, clicks on some button to authenticate, is redirected to the IDP page with the SA… Continue reading Access SP on behalf of an IDP authenticated user
Part of Akamai’s incident management process for vulnerabilities in third party software involves verifying potential impact in other systems using the same or similar libraries. While following that process when addressing the SAML impersonation vulnerability, CVE-2021-28091, which impacted Akamai’s Enterprise… Continue reading SOGo and PacketFence Impacted by SAML Implementation Vulnerabilities
This blog post provides an overview of a vulnerability discovered in Akamai’s Enterprise Application Access (EAA) product which has been patched. This vulnerability could have allowed an actor to impersonate an authorized user when interacting with an application that used Security Assertion Markup Language Version 2 (SAMLv2, referred to as SAML in this document) to authenticate users. Continue reading SAML Implementation Vulnerability Impacting Some Akamai Services
I am very new to SAML and currently doing research on whether SAML is the right solution for me.
All the SAML examples that I can find work on the email domain. I wonder if it is possible to build a service provider and identity provider b… Continue reading Other than domain, what other attribute can SAML work with?
I read this answer around mitigation and detection of the Golden SAML attack but I wanted to investigate further about how preventable it is and how an organization could nullify an attack before it happens.
My understanding here is that t… Continue reading Golden SAML Negation and Understanding
A common multi factor authentication solution will ask a user for a username+password and a one-time password.
In all documents I can find both factors are asked by the same identity provider. This can be the website itself or for example … Continue reading Does it make sense to split two factor authentication between identity providers