Contrib.social

Avoid reusing an valid SAML Response sent from IDP

Open on Drupal.org β†’
Created on 9 January 2024, about 1 year ago

Problem/Motivation

The Authentication Request and Assertion are sent via browser redirects so they pass through the user’s browser. This makes them easy to steal via techniques such as cross site scripting or malicious plugins.

Proposed resolution

OneTimeUse on the SAML Response will prevent an valid request and assertion from being reused.

πŸ“Œ Task
Status

Active

Version

4.0

Component

Code

Created by

πŸ‡¦πŸ‡ΊAustralia mingsong πŸ‡¦πŸ‡Ί

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @mingsong
  • Comment about 1 year ago β†’
    πŸ‡¦πŸ‡ΊAustralia mingsong πŸ‡¦πŸ‡Ί
  • Comment 29 days ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    I guess this isn't implement in the PHP-SAML module because it needs a cache backend.

    I guess what this needs is a cache backend to keep all IDs(?) of OneTimeUse, for a configurable period of time. It should probably be a "normal" cache bin so site administrators can make the cache permanent if they want by e.g. installing + configuring pcb β†’ .

    I was wondering why this doesn't get more attention on the internet than it does. Probably that's because, if HTTPS is used for communication with the IdP and the IdP is configured to common standards (i.e. only answer to requests from known certificates), it isn't that easy to steal SAML requests / assertions.
    (Maybe on a public computer that has a special browser extension installed to snoop and save those assertions...)

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024