[Owasp-leaders] SAML Cheatsheet

Jim Manico jim.manico at owasp.org
Wed Jun 17 04:26:55 UTC 2015


James and Gunnar,

Thank you for this astute feedback. I'll give you a shout when we push 
out a few updated related to your suggestions.

Thanks again and more soon.

Aloha,
- Jim
@manicode

On 6/15/15 9:44 AM, Gunnar Peterson wrote:
> Agree with James. Also, suggest adding adding a First Mile Integration and Last Mile integration section. The SAML protocol is rarely the vector of choice, though its important to have cheatsheets to make sure that this is robust. The various endpoints are more targeted, so how the SAML token is generated and how it is consumed are both important in practice.
>
> For First Mile
> - Strong Authentication options for generating the SAML token
> - IDP validation - which IDP mints the token
>
> For Last Mile
> - Validating session state for user
> - Level of granularity in setting authZ context when consuming SAML token (do you use groups, roles, attributes)
> - Validate authorized IDP
>
> Also, a reminder that just because its a security protocol does not mean that input validation goes away. There should be a pointer to this for all SAML providers/consumers
>
> -gunnar
> http://1raindrop.typepad.com
> @oneraindrop
> 	
>
>> On Jun 15, 2015, at 9:26 AM, McGovern, James <james.mcgovern at hp.com> wrote:
>>
>> Good document. A few thoughts:
>>
>> 1. Need to provide some guidance via links to things that could go wrong. For example, don't disable CRL/OCSP since SAML relies on certs. Should also warn against self-signed certs and prefer well-known Root CAs mandatory for transport and ideally for signing
>> 2. SAML applications generally use hostnames to identify issuers, but saml standard allows applications to use any string. We should validate in this regard.
>> 3. Include some guidance on sharing user identity across organizations. Make sure you aren't doing something dumb. Maybe guidance should include using opaque identifiers as outlined in Kim Cameron's law of identity
>>
>>
>> -----Original Message-----
>> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
>> Sent: Thursday, June 11, 2015 5:47 PM
>> To: owasp-leaders at lists.owasp.org; owasp-cheat-sheets at lists.owasp.org
>> Subject: [Owasp-leaders] SAML Cheatsheet
>>
>> Thank you to Pawel Krawczyk and Brad Broulik for releasing the first version of the OWASP SAML Cheatsheet! Nice work!
>>
>> https://www.owasp.org/index.php/SAML_Security_Cheat_Sheet
>>
>> If you have SAML expertise and would care to review or enhance this cheat sheet, please dive in!
>>
>> Aloha,
>> Jim
>>
>> PS: I would also love to get an OAuth and OIDC cheat sheet rolling since these are core technologies towards delivering modern delegation and federation solutions. If you have solid expertise in one of these areas, please drop me a line and lets get these rolling.... :)
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>



More information about the OWASP-Leaders mailing list