Security requirements for SAML Implementation

17 views

Skip to first unread message

Taher Barodawala

unread,

Jan 28, 2015, 10:25:42 AM1/28/15

to null-...@googlegroups.com

Hello Nulls,

I am working on coming up with a list of security related requirements for on-boarding a new web application to an existing SAML 2.0 authentication system for implementing SSO (Non-federated I guess).

Based on my limited knowledge of the SAML protocol and a day of web surfing, I have collated a few rough requirements :

1. SAML assertion should be signed and encrypted (requests & responses?)

2. SAML assertion should have a limited lifespan

3. Transport medium of the assertion should be TLS (1.0?)

Landed on a few cool resources:

1. http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf

2. nullcon Goa 2014: O Dea Assertions Untwining the Security of the SAML protocol by Achin Kulshrestha -https://www.youtube.com/watch?v=HbwdTApYAoQ

3. On Breaking SAML: Be Whoever You Want to Be - https://www.youtube.com/watch?v=QLKM4USUlZs

4. http://cxf.apache.org/docs/saml-web-sso.html

I need some more help/insights on what other specific security measures that should be taken especially when on boarding a new application to an existing SAML authentication system. Any specific risks that should be taken care of? SAML security best practices, references, books etc. would be of great help.

Thanks,

Taher

Reply all

Reply to author

Forward

0 new messages