Compass Security. [The ICT-Security Experts] SAML 2.0 [Beer Talk Berlin 2/16/2016] Stephan Sekula



Similar documents
This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

SAML and OAUTH comparison

Agenda. How to configure

Web Based Single Sign-On and Access Control

How To Use Saml 2.0 Single Sign On With Qualysguard

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun

IBM WebSphere Application Server

Federated Identity Management

SAML Single-Sign-On (SSO)

Identity Assurance Hub Service SAML 2.0 Profile v1.2a

TIB 2.0 Administration Functions Overview

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

Using SAML for Single Sign-On in the SOA Software Platform

Server based signature service. Overview

IAM Application Integration Guide

National Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0

On Breaking SAML: Be Whoever You Want to Be

OIOSAML 2.0 Toolkits Test results May 2009

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

Setting Up Federated Identity with IBM SmartCloud

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Get Success in Passing Your Certification Exam at first attempt!

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Feide Technical Guide. Technical details for integrating a service into Feide

SAML Authentication within Secret Server

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

This section includes troubleshooting topics about single sign-on (SSO) issues.

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

On Breaking SAML: Be Whoever You Want to Be OWASP The OWASP Foundation Juraj Somorovsky and Christian Mainka

SAML-Based SSO Solution

Microsoft Office 365 Using SAML Integration Guide

Feide Integration Guide. Technical Requisites

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

The Vetuma Service of the Finnish Public Administration SAML interface specification Version: 3.5

The increasing popularity of mobile devices is rapidly changing how and where we

Copyright: WhosOnLocation Limited

Designing federated identity management architectures for addressing the recent attacks against online financial transactions.

Single Sign On for ZenDesk with NetScaler. Deployment Guide

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Security Assertion Markup Language (SAML) 2.0 Technical Overview

Single Sign-On Implementation Guide

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

Single Sign-On Implementation Guide

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Configuring. Moodle. Chapter 82

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

SAML basics A technical introduction to the Security Assertion Markup Language

Single Sign On for GoToMeeting with NetScaler

Single Sign on Using SAML

Single Sign On Integration Guide. Document version:

SAML SSO Configuration

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

CA Performance Center

Logout Support on SP and Application

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Automated Testing of SAML 2.0 Service Providers. Andreas Åkre Solberg UNINETT

OpenLogin: PTA, SAML, and OAuth/OpenID

CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER

SAML Security Assertion Markup Language

Web Single Sign-On Authentication using SAML

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

Disclaimer. SAP 2008 / SAP TechEd 08 / SIM202 / Page 2

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Single Sign On for Google Apps with NetScaler. Deployment Guide

SAML Security Option White Paper

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Criteria for web application security check. Version

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Federal Identity, Credentialing, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

Introduction to SAML. Jason Rouault Section Architect Internet Security Solutions Lab Hewlett-Packard. An XML based Security Assertion Markup Language

Department Service Integration with e-pramaan

GFIPM Web Browser User-to-System Profile Version 1.2

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG R001.

SAML v2.0 for.net Developer Guide

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Appendix 1 Technical Requirements

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

Authentication Methods

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Introducing Shibboleth

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Leveraging SAML for Federated Single Sign-on:

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Transcription:

Compass Security [The ICT-Security Experts] SAML 2.0 [Beer Talk Berlin 2/16/2016] Stephan Sekula Compass Security Deutschland GmbH Tauentzienstr. 18 De-10789 Berlin Tel. +49 30 21 00 253-0 Fax +49 30 21 00 253-69 team@csnc.de www.csnc.de

May I introduce myself? Stephan Sekula With Compass since August 2013 Career: Studied Computer Science, worked in research, now gathering practical experience Expertise Web Application Security Mobile Security Social Engineering basics (from Psychology minor) Hobbies Cooking & baking Bicycling Climbing IT-Security Slide 2

Agenda Introduction to SAML Use-Cases Protocol Details SAML Attacks Demo Exploit Remediation Slide 3

Introduction to SAML Security Assertion Markup Language Slide 4

Introduction to SAML Components Client/User Wants to authenticate (i.e., assert a particular identity) Service Provider (SP) Provides a certain service the client wants to use Trusts certain Identity Providers (and their Assertions) SP ascertains a user s identity based on IdP s Assertion Identity Provider (IdP) Checks the clients identity Issues SAML Assertions ( proof of identity ) Communicates these Assertions to the Service Provider Slide 5

Agenda Introduction to SAML Use-Cases Protocol Details SAML Attacks Demo Exploit Remediation Slide 6

Use-Case IG B2B BrokerGate 941 Brokers 4146 Users 22 Insurances (Service Providers) Sfaeras SA Tectron AG Finanzberatung Mentor Assekuranz AG Mirilex GmbH SAML 2.0 IdP Slide 7

Use-Case IG B2B BrokerGate 45000 40000 35000 30000 25000 20000 15000 10000 Logins per Month User Accounts 5000 0 Jan 13 Mrz 13 Mai 13 Jul 13 SepNov Jan 13 13 14 Mrz 14 Mai 14 Jul 14 Sep Nov Jan 14 14 15 Mrz 15 Mai 15 Jul 15 Sep Nov 15 15 Slide 8

Use-Case SWITCHaai University Hospital Webmail Student Admin elearning Library Where are you from? Research DB ejournals aai: Authentication and Authorization Infrastructure Slide 9

Use-Case SWITCHaai Slide 10

Use-Case SWITCHaai On average: 50 SAML authentication requests per second Slide 11

Agenda Introduction to SAML Use-Cases Protocol Details SAML Attacks Demo Exploit Remediation Slide 12

SAML Protocol Details SAML Profiles are a combination of SAML Assertions, Protocols, and Bindings for particular use cases, e.g., Web Browser SSO Profile Bindings specify how the various messages are carried over underlying transport protocols, e.g., HTTP redirect or POST SAML defines a number of Protocol messages, e.g., authentication request, artifact resolution, and single logout An IdP uses Assertions to convey a subject s identity (including the used authentication method) to an SP Slide 13

Web Browser SSO Profile (Redirect/POST) SP-Initiated SSO with Redirect and POST Bindings Source: http://docs.oasis-open.org/security/saml/post2.0/sstc-saml-tech-overview-2.0.pdf Slide 14

Web Browser SSO Profile (Artifact) SP-Initiated SSO with POST/Artifact Bindings Source: http://docs.oasis-open.org/security/saml/post2.0/sstc-saml-tech-overview-2.0.pdf Slide 15

SAML Assertion SAML Assertion Version AssertionID IssueInstant Issuer Subject AuthnStatement AuthInstant AuthnContext AuthnContextClassRef IdP EntityId NameID UserId Attribute Attribute Conditions NotBefore NotAfter AudienceRestriction SP EntityID Attribute Digital Signature X.509 Signing Certificate Signature Algorithm, Transforms Digest Sig. Value Slide 16

XML Signature Assertion Signing: C14N SHA-1 RSA Assertion Digest Signature Verification: + RSA Slide 17

Agenda Introduction to SAML Use-Cases Protocol Details SAML Attacks Demo Exploit Remediation Slide 18

SAML Attacks Technologies SAML XML Signatures X.509 Certificates Slide 19

SAML Attacks SAML Guessable Session ID Attacker is able to logout other users Eavesdropped SAML Message Attacker captures SAML message Attacker replays captured message Slide 20

SAML Attacks XML Signature Exclusion XML signature is deleted XML Signature Wrapping (XSW) Manipulating XML contents while keeping the signature valid Slide 21

SAML Attacks Signature Wrapping SAML Manipulated Message Root Assertion id=evil id=23 (XSW) saml:subject Signature SignedInfo Reference URI=23 Slide 22

SAML Attacks Certificate Tampering Precondition: Certificate is embedded in the message Types of attacks: Clone a certificate, generate new key material, sign message Same as above, but clone entire chain Use a certificate signed by another official CA Use a revoked certificate Slide 23

Agenda Introduction to SAML Use-Cases Protocol Details SAML Attacks Demo Exploit Remediation Slide 24

Demo Exploit CVE-2015-5372 SAML SP Authentication Bypass Discovered in June 2015 by Compass Security Preconditions: SAML POST Binding is used SP does not validate all attributes contained in X.509 certificate SP uses certificate contained in the SAML message (not the one in its certificate store) Slide 25

Demo Exploit CVE-2015-5372 SAML SP Authentication Bypass ############################################################# # # COMPASS SECURITY ADVISORY # http://www.csnc.ch/en/downloads/advisories.html # ############################################################# # # Product: [CUT BY COMPASS] # Vendor: [CUT BY COMPASS] # CVD ID: CVE-2015-5372 # Subject: Authentication Bypass # Risk: Critical # Effect: Remotely exploitable # Authors: Antoine Neuenschwander (antoine.neuenschwander () csnc ch) # Roland Bischofberger (roland.bischofberger () csnc ch) # Date: 2015-09-21 # ############################################################# Slide 26

Demo Exploit Steps 1. Intercept Assertion 2. Extract certificate 3. Clone certificate; generate new keys 4. Manipulate Assertion, e.g., change username 5. Remove original signature; sign manipulated Assertion using the cloned certificate Problem Complicated workflow Assertion is often only valid for some minutes Slide 27

Demo Exploit Solution SAMLRaider extension for burp Developed as part of a Bachelor thesis (in cooperation with Compass Security) https://github.com/samlraider/samlraider Slide 28

Demo Exploit Slide 29

Agenda Introduction to SAML Use-Cases Protocol Details SAML Attacks Demo Exploit Remediation Slide 30

Remediation Use artifact binding (no contents stored on client) If POST Binding is required: Use encrypted messages Only process signed XML tree (delete other contents) Use key material on the SP or IdP (not embedded keys) Add a random number to every signed element that has been verified successfully This number needs to be checked in following steps This requires a modified XML schema Slide 31

Open discussion Slide 32

Thank you! Thank you for your attention! Slide 33

Contact Compass Security Deutschland GmbH Tauentzienstr. 18 10789 Berlin Germany team@csnc.de www.csnc.de +49 30 21 00 253-0 Secure File Exchange: www.filebox-solution.com PGP-Fingerprint: Slide 34

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information