Comment by dudeinjapan

Comment by dudeinjapan a day ago

1 reply

View on Hacker News

Recent RubySaml contributor here. The problem in this issue is not only RubySaml, but actually much older code in a module called XmlSecurity.

Some major problems with SAML are 1) the user’s browser acts as a MITM between the SP and IdP on all requests (vector for this attack), and 2) it requires the IdP and SP to maintain their own certs, which is fine in theory, but humans at big corps are lazy, and the complexity causes people to be lax on security.

SigmundA a day ago

>1) the user’s browser acts as a MITM between the SP and IdP on all requests (vector for this attack)

This is exactly how OIDC implicit flow works. The basic difference is using JWT instead of signed XML otherwise it's nearly identical, I mean public/private key signing is the basis for JWT and XML sig.

SAML also supports artifact binding which would use a back channel similar to other ODIC flows, but I haven't seen it used much because its make things more complicated and requires the SP to be able to communicate with the IdP.

Reply View 0 replies