Title :
Security analysis of the SAML single sign-on browser/artifact profile
Author_Institution :
IBM Zurich Res. Lab., Ruschlikon, Switzerland
Abstract :
Many influential industrial players are currently pursuing the development of new protocols for federated identity management. The security assertion markup language (SAML) is an important standardized example of this new protocol class and will be widely used in business-to-business scenarios to reduce user-management costs. SAML utilizes a constraint-based specification that is a popular design technique of this protocol class. It does not include a general security analysis, but provides an attack-by-attack list of countermeasures as security consideration. We present a security analysis of the SAML single sign-on browser/artifact profile, which is the first one for such a protocol standard. Our analysis of the protocol design reveals several flaws in the specification that can lead to vulnerable implementations. To demonstrate their impact, we exploit some of these flaws to mount attacks on the protocol.
Keywords :
cryptography; formal specification; hypermedia markup languages; message authentication; online front-ends; business-to-business scenarios; constraint-based specification; federated identity management; protocol class; protocol standard; security analysis; security assertion markup language; single sign-on browser/artifact profile; Access control; Access protocols; Authentication; Companies; Costs; Identity management systems; Laboratories; Markup languages; Proposals; Security;
Conference_Titel :
Computer Security Applications Conference, 2003. Proceedings. 19th Annual
Print_ISBN :
0-7695-2041-3
DOI :
10.1109/CSAC.2003.1254334
