Several security questions
27 views
Skip to first unread message
Duane Gran
Dec 5, 2017, 9:40:29 AM12/5/17
to SimpleSAMLphp
I'm getting off the ground okay working with SimpleSamlPHP but I have someone asking me some security related questions about the tool/project. I've read over the documentation but didn't see answers to the following. Could someone assist me in answering these?
Is a
hardened catalog of schemas being utilized that has been verified prior to
use by the validation process?
|
Peter Schober
Dec 5, 2017, 11:13:25 AM12/5/17
to SimpleSAMLphp
* Duane Gran <duane...@gmail.com> [2017-12-05 15:40]:
XSD files produces by OASIS/W3C? AFAICT the schema files distributed
by SSP are the original ones.
> Does your application allow automatic downloading of third party schemas?
I hardly see any use even of the shipped schemas in the ./schemas/
directory. There's another reference to an external schema in
./vendor/gettext/languages/src/Exporter/Xml.php though I don't know
whether any code will actually download that.
> Is the SAML engine configured to always use local, trusted copies of
> the schema for validation?
I'll defer that to others, though it seems schemas are hardly used at
all in SSP, from a quick recursive grep for .xsd
> Does your application consider any keys that are embedded in the
> SAML Token to be untrusted?
>
> Does your application perform key validation on the x.509 key before the
> document validation process occurs?
SimpleSAMLphp implements the OASIS SAML V2.0 Metadata Interoperability
Profile, https://wiki.oasis-open.org/security/SAML2MetadataIOP
See section 2.6.1 thereof for allowed key processing.
> When selecting elements from the SAML Token, is XPATH being used
> (even on validated schema documents)?
There are few instances of xpath calls. cf. `fgrep -lir xpath .` in the
expanded source tree (mostly in the included xmlseclibs library).
-peter
> Is a hardened catalog of schemas being utilized that has been verified
> prior to use by the validation process?
You mean by hacking out remote URI from schemaLocation in the official
> prior to use by the validation process?
XSD files produces by OASIS/W3C? AFAICT the schema files distributed
by SSP are the original ones.
> Does your application allow automatic downloading of third party schemas?
directory. There's another reference to an external schema in
./vendor/gettext/languages/src/Exporter/Xml.php though I don't know
whether any code will actually download that.
> Is the SAML engine configured to always use local, trusted copies of
> the schema for validation?
all in SSP, from a quick recursive grep for .xsd
> Does your application consider any keys that are embedded in the
> SAML Token to be untrusted?
>
> Does your application perform key validation on the x.509 key before the
> document validation process occurs?
Profile, https://wiki.oasis-open.org/security/SAML2MetadataIOP
See section 2.6.1 thereof for allowed key processing.
> When selecting elements from the SAML Token, is XPATH being used
> (even on validated schema documents)?
expanded source tree (mostly in the included xmlseclibs library).
-peter
Jaime Perez Crespo
Dec 11, 2017, 3:56:08 AM12/11/17
to simple...@googlegroups.com
Hi Douane,
On 5 Dec 2017, at 15:40 PM, Duane Gran <duane...@gmail.com> wrote:
> Does your application allow automatic downloading of third party schemas?
No.
> Is the SAML engine configured to always use local, trusted copies of the schema for validation?
Well, if you cannot download schemas… :-)
SSP doesn’t do schema validation as a general rule. Schema validation is computationally expensive and offers very little back. You can manually enable validation of SAML 1.1 messages or metadata, though.
> Are schema inspections, validations and hardening of the SAML Token (XML document) regularly conducted to disable possible wildcard-type or relaxed processing statements?
As far as we know, there are no relaxed processing issues in SimpleSAMLphp. If there are, those should be regarded as a vulnerability and fixed.
> Does your application consider any keys that are embedded in the SAML Token to be untrusted?
That’s not how trust works in SAML. Embedded keys are checked against the list of keys configured offline for a given entity. If the key is not in that list, then it’s not trusted. Trust does not depend on the key being or not embedded in the SAML message.
> Does your application perform key validation on the x.509 key before the document validation process occurs?
No.
> When selecting elements from the SAML Token, is XPATH being used (even on validated schema documents)?
It is used in some places, yes.
—
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
On 5 Dec 2017, at 15:40 PM, Duane Gran <duane...@gmail.com> wrote:
> Does your application allow automatic downloading of third party schemas?
> Is the SAML engine configured to always use local, trusted copies of the schema for validation?
SSP doesn’t do schema validation as a general rule. Schema validation is computationally expensive and offers very little back. You can manually enable validation of SAML 1.1 messages or metadata, though.
> Are schema inspections, validations and hardening of the SAML Token (XML document) regularly conducted to disable possible wildcard-type or relaxed processing statements?
> Does your application consider any keys that are embedded in the SAML Token to be untrusted?
> Does your application perform key validation on the x.509 key before the document validation process occurs?
> When selecting elements from the SAML Token, is XPATH being used (even on validated schema documents)?
—
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Reply all
Reply to author
Forward
0 new messages