Vulnarex | Elite Cybersecurity Learning Platform

#The Enterprise Standard for Single Sign-On#link

While OAuth is designed for delegated authorization, SAML (Security Assertion Markup Language) is the backbone of enterprise identity. It allows a user to authenticate once at a central authority and gain access to multiple independent corporate applications without re-entering credentials.

The Trust Relationship: IdP and SP

SAML relies on a pre-established trust relationship between two parties: the Identity Provider (IdP), which manages the user directory, and the Service Provider (SP), which provides the actual application.

callout

Unlike OAuth, where the user 'consents' to an app, SAML is typically a corporate mandate. The trust is established via the exchange of metadata files containing public keys and endpoints.

Component	Responsibility	Example
Identity Provider (IdP)	Authenticates user, issues assertions	Okta, Azure AD, PingIdentity
Service Provider (SP)	Provides the resource, verifies assertion	Salesforce, AWS Console, Workday
SAML Assertion	The 'ticket' containing user identity	Signed XML Document
Metadata	Configuration for trust exchange	XML Metadata File

The process begins with an exchange of metadata. The SP tells the IdP where to send the assertion (Assertion Consumer Service URL), and the IdP provides its public certificate so the SP can verify the digital signature of the assertion.

The Role of the User Agent

info

💡 In SAML, the user's browser acts as a 'bridge' or 'messenger,' carrying signed XML assertions from the IdP to the SP via HTTP redirects and POST requests.

Simulating a SAML Request Initiation

root@vulnarex:~#curl -v "https://sp.example.com/saml/initiate"

The terminal output shows the SP initiating the flow. It redirects the user to the IdP with a `SAMLRequest`. The user authenticates at the IdP, which then redirects them back to the SP with a `SAMLResponse`.

Production Considerations

STRICT SECURE AUDIT RULE

SAML's reliance on XML makes it vulnerable to specific parsing attacks, such as XML External Entity (XXE) and XML Signature Wrapping (XSW), if the parser is not properly hardened.

▪Always validate the signature of the entire assertion
▪Enforce strict time-to-live (TTL) on assertions to prevent replay
▪Use encrypted assertions for sensitive user data
▪Regularly rotate IdP signing certificates

STRICT SECURE AUDIT RULE

Failure to validate the 'Audience' restriction in the assertion can allow a token meant for one application to be used to access another.

quiz BLOCK (★ 50 XP)

What is the primary medium used by SAML to convey identity information between the IdP and the SP?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

The Trust Loop