Collaborate Disseminate
So it’s unclear how much more security needs to happen at the ACS point.
I can see that the IDP signs a signature that involves a certificate and private key.
The SP can verify the signature with the copy of the certificate it holds. Is th… Continue reading SSO SAML2: validating/verifying the SAMLResponse at the ACS
The requirement: have a user, existing in an IDP, be automatically authenticated on a Resource server. IDP app can then provide web view for resource server user.
OAuth 2.0 Approach:
IDP nudges resource server saying they want a user to b… Continue reading OAuth 2.0: programmatically authenticate Resource Server user after Authorization Code grant
I run an instance of a log aggregation product in the cloud, installed on a VM. I’ve strictly configured it’s networking settings, internal firewall, internal port redirection, strong admin password, valid HTTPS certificate, etc. The web i… Continue reading Verifying the security of SAML SSO
So, I know how public-private key encryption works. I understand how/why certificates are required. I understand how a SSO flow (IdP initiated) works. But, I do not understand how the three of them happen together. I am confused about what… Continue reading How does encryption, certificates in an end to end SSO flow?
I work for a company where we give customer (hundreds/thousands of users) access to 2 sites. One owned by a 3rd party SaaS and one owned by us. Customers spend alot of time registering for both sites and we also spend alot of time removing… Continue reading OAuth2, SAML, OpenID connect – Which one to use for my scenario?
Our system supports SAML2 and acts as service provider. Our customer uses ADFS as identity provider. Metadata has been exchanged and the connection works. Unfortunately our system complains about the SAML responses:
org.opensaml.common.SA… Continue reading How to decrypt encrypted SAML assertion using private RSA key?
I have an application Foo that exposes a web-based portal as well as a REST API service via HTTPS.
When a human user connects to the app Foo to use its web-based portal, the human user is first redirected to an OAuth2-based login page. Onc… Continue reading App-to-app or service-to-service authentication using federated login
An authentication-bypass vulnerability allows attackers to access network assets without credentials when SAML is enabled on certain firewalls and enterprise VPNs. Continue reading CISA: Nation-State Attackers Likely to Exploit Palo Alto Networks Bug
A previously asked question touches on topics which are very similar to what I am having trouble understanding.
In a web application I am testing, SAML SSO is brokered using Keycloak. The SAML Response messages contain Encrypted Assertions… Continue reading Do SAML responses containing encrypted assertions provide protection against MiTM attacks?
Is it possible to fully automate the login of a service user (i.e. a programmatic, software based "user") without user interaction?
I have a service provider that’s SAML protected. Basic Auth and OAuth are not allowed. The IdP is… Continue reading Automating SAML login for service users? [closed]