SAML: A Technical Primer(ssoready.com) |
SAML: A Technical Primer(ssoready.com) |
When using PKCE the relying party can use JWKS to validate the token instead of talking to the IdP.
Are you suggesting that, that is somehow insecure?
> At the request of the members, the Security Services (SAML) TC has closed.
0: https://news.ycombinator.com/item?id=41056529
There are tons of orgs that have built SSO on SAML so it won't die for a long time, but it's a frozen standard. From my understanding, it's frozen because no one wanted to put in the time to improve it.
OIDC doesn't scale, and OIDC Federation is still in draft. SAML Federation is mature with wide support and good discovery UX thanks to SeamlessAccess.
SAML has a variety of standard attribute bundles, entity categories, frameworks, and profiles covering important integrations, e.g., identity assurance. These are slowly being defined in (or ported to) OIDC.
I like OIDC and think highly of the people working on it, but it's nowhere near as cut and dry as you suggest.
I think... it probably is as cut and dry as I'm suggesting.
The things you just listed sounds like unnecessary complexity that inevitably leads to the “too big standard” problem, where every vendor and id provider has their own half assed, incomplete and incompatible implementation of the standard, or worse - with security bugs. Something quite often seen with SAML.
That’s not to say that oidc or oauth doesn’t have alignment issues. See https://news.ycombinator.com/item?id=35713518 “We implemented OAuth for the 50 most popular APIs. TL;DR: It is still a mess”
Factually incorrect
Frankly I’d suggest the same thing about Okta but as bad as they are whatever you do to avoid them would probably be worse in practice.
Healthcare, as an industry, is not making decisions based on what constitutes "good engineering", for the most part. There are so many other things I'd burn to the ground that are just ancient, ass-backwards things that the rest of the industry has moved on from, but healthcare clings to. (…IPSec, for example. God I'd like to not have to do double-NAT'ing with providers who don't even understand NAT and just expect me to recognize IP addresses that are only internal to their network and never exposed to me, ever again.)
I tried that with SAML (back then, it didn't require kludgy X.509 thumbprint management in AWS), and I ran away crying after a couple of days trying to understand why it fails.
The incredible overengineering of the XML signature specification is certainly to blame for this recent SAML verification vulnerability (from the same site): https://news.ycombinator.com/item?id=41586031
(Well, used : in luckily no longer in charge of an IdP with a bespoke SAML implementation so I don’t need to deal with this crap anymore!)
I intend to work on it further once my kid is… well, a little less of a toddler. :)
> As well in "HTTP Redirect Binding" or "HTTP POST Binding", The RelayState value MUST NOT exceed 80 bytes
From https://docs.oasis-open.org/security/saml/v2.0/saml-bindings...
At FusionAuth, we have an open issue for this: https://github.com/FusionAuth/fusionauth-issues/issues/2467 which you can read for more details.
SAML is full of these kinds of gotchas. We have an open source library which provides Java SAML bindings: https://github.com/FusionAuth/fusionauth-samlv2
FWIW, the for library I work on -- github.com/ssoready/ssoready -- we sidestepped this issue by simply not using SAML RelayState at all under the hood. Between the fact that it's vulnerable to attacker manipulation, and the size limits, it's not worth the pain. We just implement SAML RelayState / OAuth `state` via good old database persistence.
> We just implement SAML RelayState / OAuth `state` via good old database persistence.
I'm not sure I understand how this helps. You still need to support the parameter so that folks can pass information through the login state (for deeplinking, among other use cases). Which means you still need to process it and therefore are committed to either being noncompliant with the spec or providing functionality that is limited to 2005 sensibilities.
What am I missing?
What I have in mind - I'd say only very small population understand that OIDC / Oauth(orization) is about granting access to a service to access your data. Meaning once you have approved service (lets say Dropbox), now Dropbox can access your data on your google account (this of course depends what exactly dropbox asked and if you clicked on "approve", but most people do click as they want to login to Dropbox via their Google account).
SAML is better, as it can be defined at Google side what data is being sent to DropBox when Single Sign On happens and DropBox cannot access your google data as it sees fit.
SAML ain't perfect either because there's no practical way to "sign me out everywhere"
OIDC is far preferable to SAML, but the last time I touched this, half the reason why customers preferred SAML was because their IdP supported SCIM but only for SAML applications.
And yeah, you're right -- Okta, for example, doesn't let you add SCIM to an OIDC application. It's unfortunate -- there's no deep technical reason you can't mix OIDC and SCIM -- but it is the world we live in.
The "just" makes it sound like this is a minor point. This is a huge point. Enterprises are forced by their customers and regulators to show that terminated employees lose access immediately. There are two ways to make that happen: force everything to flow through a VPN, and SCIM. Most SaaS providers do not support IP allowlisting needed to enforce that all traffic flows through the VPN, and the only alternative to enforce that user sessions are terminated immediately is if the SaaS keeps sessions in a database and those sessions are revoked as part of SCIM. Otherwise the sessions could continue to be valid for days or even longer, presenting a risk of allowing terminated employees to wreck untold havok.
Is it just me or is anybody else going 'the fuck did I just read?' here? It's... incredibly condescending?
N. a complicated or unpleasant situation from which it is difficult to extricate oneself.
Indeed.
> You care about supporting SAML because your customer wants your product to support SAML. This is sound reasoning on your part. But why does your customer want SAML support?
> One click to login: why your users like SAML
What? No, the users don't know about SAML.
Anyways, no, users don't like SAML. OIDC has a much nicer UX.
"Suffering A Massive Lot" - jk
Let's just say my interaction with managing websites that used SAML was less than pleasant.
My interactions supporting it as both the identity provider & the service provider have lead to me being the SAML person at work, and I'm now very used to people either laughing at my misfortune or giving me pitiful looks.
It combines all the wonderful antipatterns you can name: a protocol where near everything is optional and two standards-compliant implementations can refuse to cooperate in any number of ways, hair raising security decisions (XML-DSIG?! configurable crypto? ughh), and half-baked features (back-channel SLO, anyone?)
It's a Lovecraftian horror that actually makes me appreciate JWTs.
The document is open source: https://github.com/ssoready/docs/pull/55
The "Continue with" buttons that include Microsoft, Google, and Apple, tend to pick up most SMBs without SAML SSO headaches on either side.
Like so:
https://www.xsplit.com/user/auth
https://id.atlassian.com/login
Use an email domain restriction, and you have by and large SSO; the user can only log into your SaaS if the user is an active account at that company.
Storing user passwords yourself is a liability, indirect or direct: https://www.reuters.com/technology/eu-privacy-regulator-fine...
The problem is when you work with smaller shops that don’t have IT departments or worse bad IT departments you’re going to pay a fortune in support costs.
Use an open source identity provider or pay someone to do it for you.
I'm not going to misleadingly edit my initial comment, and your comment is fair. I said "just" when I should have said "precisely". As in, I was already talking about how SAML interacts with "Bob from Sales got fired, probably should kick him out of the CRM". SAML gives you "Bob can't log into the CRM ever again", SCIM gives you "... and his CRM user and sessions are immediately revoked".
To be clear, SSOReady also has a "SCIM made easy" API, we definitely know about and care about helping people implement SCIM: https://ssoready.com/docs/scim/scim-quickstart
For example, the ID of a SAML `AuthnRequest` always gets echoed back to you in the SAML `Response`. So you can use that as an opaque identifier. You store ID/state pairs in the database when you start SAML logins, and look them back up when the assertion comes back to you. Basically, that's what we do on behalf of our customers.
It's a bit more work for us to implement, but it gives SSOReady customers the "deeplinking" functionality without the weird caveats that RelayState carries.
1. PKCE relies on very simple cryptography that is hard to implement incorrectly. There is only is only one protocol defined (SHA-256), and that protocol is considered safe. Allowing the "plain" protocol in the RFC was silly, but we were lucky that the RFC writers didn't go full bonkers like they did with JWT, and started digging up ancient ciphers in case someone really wants to run PKCE on a WW2 vintage Enigma machine. In short, PKCE has no weird or old cryptography.
2. PKCE is not considered mandatory or even recommended for confidential clients prior to OAuth 2.1 (which is still a draft). It is rarely implemented in these cases.
3. You cannot use JWKS for PKCE. I believe you are confusing PKCE with the ID Token, but the GP was specifically talking about the Authorization Code flow, where the ID Token doesn't really matter. If you're using that flow an unfortunate piece of over-engineered industrial waste[1], but if you're using the Authorization Code flow it doesn't matter: even if the ID Token is completely broken, it cannot hurt you, since you must have a correct authorization code to get it in the first place.
4. Even if PKCE itself gets broken somehow (the main risk being an IdP that allows downgrade attacks), this only makes the protocol vulnerable to CSRF on confidential clients. Only on public clients that rely on custom URL schemes (such as native apps), this can lead to a more serious exploit.
[1] Sadly, this is coming from the same people who wrote the PKCE spec. On one hand they think your system might be too constrained to support SHA-256, so we need to add the "plain" algorithm, but on the other hand, they make RSA signatures (including SHA-256!) a mandatory part of the Open ID Connect spec through this totally unnecessary token.
Yes, it is a good recommendation if the customers have an IT Department.
But I'd argue you're missing the other half.
It's an even better recommendation if the customer is using M365, Google Workspaces, or Apple Business Manager, without an IT Department, since they don't need an IT Department at all to get effectively the same benefit as SSO.
After your initial setup to accept OIDC as the SaaS or PaaS, neither you nor the customer have to do an "integration" to support additional customers of Microsoft, Google, or any other OIDC provider you add. You could let your customer validate an email domain to ensure their sign-ins are theirs, but other than that, once you support OIDC with their provider, nobody has to do anything.
Something on the order of 80% of SMB in the U.S. are on O365/M365 by some measures, and judging from startups here, every tech startup thinks everyone's on Google Workspaces like they are, so that's the other 80%. :-) Toss in socials if you are B2C instead of B2B, and of course Apple IDs if you are targeting users by "wallet share".
You get the key benefit of SSO while your clients do not need to integrate one by one. And...
> Use an open source identity provider or pay someone to do it for you.
Or, don't do that effort at all, use what's baked in and just take the win.
If you're a relying party, and you want to integrate with Okta, Google, other OIDC-supporting IdPs … implement OIDC!
If you're on the RP side and you have to integrate with an IdP that only speaks SAML and not OIDC, well, then you're probably out of luck and just have to make the call: is it worth the business? Maybe it is. Then you implement SAML.
Apples to apples, is it's not much different. XSD is just as complex as JSONSchema.
Verbose? Sure.
But people love XML so much, they invented JS-and-XML (JSX). :shrug:
No, the main problem with SAML is that it relies on XML Signatures (XMLDSig). And the main problem with XML Signatures is that the signature needs to be embedded inside the XML it's signing, instead of being attached to it, like every other signature standard on the planet.
[1] The added complexity is not just attributes and namespace, but also entities, DTD and processing instructions. If you want even the most basic type checking, XML schema becomes mandatory. This is important, since JSON doesn't need a schema for handling basic types, and in fact OAuth 2.0 and Open ID Connect do not rely on JSON Schema at all.
[2] See the OWASP cheatsheet for all the ways accepting XML input from the internet can put your application in danger: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_...
No equivalent document exists for JSON.
Huh?
> the main problem with SAML is that it relies on XML Signatures (XMLDSig). And the main problem with XML Signatures is that the signature needs to be embedded inside the XML it's signing, instead of being attached to it, like every other signature standard on the planet.
You are correct that is the hardest part of SAML, but to be clear, there's a SignatureValue element that is separate from SignedInfo.
And you can use a library to sign. I don't see many implementing their own JWT signatures either.
Rotating the keys would make some sense, but just swapping the cert for a new one issued against the same keys doesn't. It's the easiest way to fulfill those requirements, because you don't need to synchronize the metadata updates, the signatures are always valid with both the old and new cert.
> synchronize the metadata updates
Sadly I know many implementations that do not handle key changes in the metadata in a smooth way. The two SPs I have from Adobe both require manual updating of one key per idp, making a switch pain to synchronize.
IMO, I think rotation is wildly useless too. It might make sense in a world where my signing certificate was decoupled from the metadata someone else has to very likely load by hand.
Browser sends artifact to RP, RP fetches assertion from IdP via HTTPs, afterwards verifies the signature.
Signature verification is not implemented correctly? The attacker still needs to break HTTPS…. And then you would have a big problem anyway.
At the very least: if I was ever to do SAML, I would rip your face off in the pricing for it.
I've been told that the only source of problems is going to be companies using Shibboleth, even though there seems to be an OIDC plugin.
But human behavior change is hard and expensive. For the most part, it's just easier to give the customer what they're asking for / what they expect, even when you know they're wrong.
When you're trying to push an enterprise deal over the finish line, this is often just not a good enough reason to introduce friction with your buying committee.
And if you have to support SAML for one stubborn customer eventually, you might as well support SAML for all customers that really want it.
A computer programmer wouldn't even know where to begin, as the chesterton's fence had long been rejustified
"in theory, it's easy in practice. in practice, its easy in theory"