[Owasp-leaders] SAML Cheatsheet

McGovern, James james.mcgovern at hp.com
Mon Jun 15 14:26:56 UTC 2015


Good document. A few thoughts:

1. Need to provide some guidance via links to things that could go wrong. For example, don't disable CRL/OCSP since SAML relies on certs. Should also warn against self-signed certs and prefer well-known Root CAs mandatory for transport and ideally for signing
2. SAML applications generally use hostnames to identify issuers, but saml standard allows applications to use any string. We should validate in this regard.
3. Include some guidance on sharing user identity across organizations. Make sure you aren't doing something dumb. Maybe guidance should include using opaque identifiers as outlined in Kim Cameron's law of identity


-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Thursday, June 11, 2015 5:47 PM
To: owasp-leaders at lists.owasp.org; owasp-cheat-sheets at lists.owasp.org
Subject: [Owasp-leaders] SAML Cheatsheet

Thank you to Pawel Krawczyk and Brad Broulik for releasing the first version of the OWASP SAML Cheatsheet! Nice work!

https://www.owasp.org/index.php/SAML_Security_Cheat_Sheet

If you have SAML expertise and would care to review or enhance this cheat sheet, please dive in!

Aloha,
Jim

PS: I would also love to get an OAuth and OIDC cheat sheet rolling since these are core technologies towards delivering modern delegation and federation solutions. If you have solid expertise in one of these areas, please drop me a line and lets get these rolling.... :)


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list