Many influential industrial players are currently pursuing the development of new protocols for federated identity management. The SAML Single Sign-on Browser/Artifact profile is an important standardized example of this new protocol class and will be widely used in business-to-business scenarios to reduce user management costs. The SAML profile utilizes a constraint-based specification that is widely used by designers of this protocol class. In general, the profile is designed well and carefully. Yet, it does not come with a general security analysis, but provides an attack-by-attack list of countermeasures as security consideration. We present a security analysis of the SAML Single Sign-on protocol, which is the first one for such a protocol standard. In concise analysis of the protocol design, we have revealed several flaws in the specification given that can lead to vulnerable implementations. To demonstrate the impact of those flaws we exploit some of them to mount attacks on the protocol.
By: Thomas Gross
Published in: RZ3501 in 2003
LIMITED DISTRIBUTION NOTICE:
This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.
Questions about this service can be mailed to reports@us.ibm.com .