From implementing IdP-side flow (in nuclei?)
- !!
From implementing a misbehaving SP
- !!
From eduGAIN Community
- !!
From elsewhere (to compile, prune and turn into testable SP behaviours)
- To dig and select: https://www.google.com/search?client=firefox-b-d&q=turn+off+saml+signature+validation#ip=1
- “A Signature element in AuthnRequest elements is optional. If Require Verification certificates are not checked, Microsoft Entra ID does not validate signed authentication requests if a signature is present”, https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/howto-enforce-signed-saml-authentication
- The signature was not checked at all, the modified message was accepted
- Modified message with signature rejected, but message without any signature accepted
- Multiple signatures on the same message/signature-wrapping attacks
- Correctly signing a part of the message but unsigned part with attributes accepted.
Response checks
- The response is signed
- The reference in the response signature is valid
- The correct certificate is supplied in the keyinfo
- Various certificate problems...
- The signature in the response is not valid
Assertion checks
- The assertion is signed
- The signature in the assertion is not valid
- The reference in the assertion signature is valid
- Various certificate problems...
Signature Verification Failure: The receiving party (Service Provider or Identity Provider) fails to verify the digital signature on the SAML message or assertion. This can occur due to various reasons, including key mismatches or issues with the digital signature algorithm.
Key Mismatch: The public key used for signature verification doesn't match the key used for signing the message. This can result from using the wrong keys or certificates.
Expired Certificates: The signing or verification certificates have expired. Certificates must be valid during the signing and verification process.
Incorrect Algorithm: There might be a mismatch in the cryptographic algorithm used for signing and verification. SAML supports various algorithms, and both parties must agree on the algorithm to use.
Incorrect Canonicalization: Canonicalization is the process of transforming the XML content before signing it. If the canonicalization method used for signing differs from the one used for verification, it can lead to signature verification failure.
Manipulated Message: If the SAML message or assertion is altered in transit or tampered with, the signature will no longer match the content, causing a verification failure.
Certificate Revocation: If the signing or verification certificate has been revoked, it can lead to signature verification problems. Certificate revocation should be checked during the verification process.
Incorrect Signature Location: The SAML signature might be in the wrong location or not properly encapsulated in the XML message.
Missing Signature: The SAML message or assertion is expected to have a signature, but it's missing or not correctly included.
Signature Algorithm Weakness: The use of weak cryptographic algorithms or insufficient key lengths can make the signature vulnerable to attacks.
Clock Skew: There might be a time difference between the systems, causing issues with the validity period of the signature.
XML Namespace Issues: Differences in XML namespaces between the signing and verifying parties can result in signature verification problems.
XML Structure Changes: Even seemingly minor changes in the XML structure can invalidate the signature. It's important to maintain the integrity of the entire XML document.
Signature Wrapping Attacks: In some cases, attackers may try to exploit vulnerabilities in the XML processing libraries or the way signatures are implemented. These can lead to signature issues.