hacktricks/pentesting-web/saml-attacks/saml-basics.md



<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>


# SAML Overview

**Security Assertion Markup Language (SAML)** enables identity providers (IdP) to be utilized for sending authorization credentials to service providers (SP), facilitating single sign-on (SSO). This approach simplifies the management of multiple logins by allowing a single set of credentials to be used across multiple websites. It leverages XML for standardized communication between IdPs and SPs, linking the authentication of user identity with service authorization.

## Comparison between SAML and OAuth

- **SAML** is tailored towards providing enterprises with greater control over SSO login security.
- **OAuth** is designed to be more mobile-friendly, uses JSON, and is a collaborative effort from companies like Google and Twitter.

# SAML Authentication Flow

**For further details check the full post from [https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/)**. This is a summary:

The SAML authentication process involves several steps, as illustrated in the schema:

![https://epi052.gitlab.io/notes-to-self/img/saml/saml-flow.jpg](https://epi052.gitlab.io/notes-to-self/img/saml/saml-flow.jpg)

1. **Resource Access Attempt**: The user tries to access a protected resource.
2. **SAML Request Generation**: The SP does not recognize the user and generates a SAML Request.
3. **Redirect to IdP**: The user is redirected to the IdP, with the SAML Request passing through the user's browser.
4. **IdP Receives Request**: The IdP receives the SAML Request.
5. **Authentication at IdP**: The IdP authenticates the user.
6. **User Validation**: The IdP validates the user's legitimacy to access the requested resource.
7. **SAML Response Creation**: The IdP generates a SAML Response containing necessary assertions.
8. **Redirect to SP's ACS URL**: The user is redirected to the SP's Assertion Consumer Service (ACS) URL.
9. **SAML Response Validation**: The ACS validates the SAML Response.
10. **Resource Access Granted**: Access to the initially requested resource is granted.

# SAML Request Example

Consider the scenario where a user requests access to a secure resource at [https://shibdemo-sp1.test.edu/secure/](https://shibdemo-sp1.test.edu/secure/). The SP identifies the lack of authentication and generates a SAML Request:

```
GET /secure/ HTTP/1.1
Host: shibdemo-sp1.test.edu
...
```

The raw SAML Request looks like this:

```xml
<?xml version="1.0"?>
<samlp:AuthnRequest ...
</samlp:AuthnRequest>
```

Key elements of this request include:
- **AssertionConsumerServiceURL**: Specifies where the IdP should send the SAML Response post-authentication.
- **Destination**: The IdP's address to which the request is sent.
- **ProtocolBinding**: Defines the transmission method of SAML protocol messages.
- **saml:Issuer**: Identifies the entity that initiated the request.

Following the SAML Request generation, the SP responds with a **302 redirect**, directing the browser to the IdP with the SAML Request encoded in the HTTP response's **Location** header. The **RelayState** parameter maintains the state information throughout the transaction, ensuring the SP recognizes the initial resource request upon receiving the SAML Response. The **SAMLRequest** parameter is a compressed and encoded version of the raw XML snippet, utilizing Deflate compression and base64 encoding.


# SAML Response Example

You can find a [full SAML response here](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/). The key components of the response include:

- **ds:Signature**: This section, an XML Signature, ensures the integrity and authenticity of the issuer of the assertion. The SAML response in the example contains two `ds:Signature` elements, one for the message and the other for the assertion.
- **saml:Assertion**: This part holds information about the user's identity and possibly other attributes.
- **saml:Subject**: It specifies the principal subject of all the statements in the assertion.
- **saml:StatusCode**: Represents the status of the operation in response to the corresponding request.
- **saml:Conditions**: Details conditions like the validity timing of the Assertion and the specified Service Provider.
- **saml:AuthnStatement**: Confirms that the IdP authenticated the subject of the Assertion.
- **saml:AttributeStatement**: Contains attributes describing the subject of the Assertion.

Following the SAML Response, the process includes a 302 redirect from the IdP. This leads to a POST request to the Service Provider's Assertion Consumer Service (ACS) URL. The POST request includes `RelayState` and `SAMLResponse` parameters. The ACS is responsible for processing and validating the SAML Response.

After the POST request is received and the SAML Response is validated, access is granted to the protected resource initially requested by the user. This is illustrated with a `GET` request to the `/secure/` endpoint and a `200 OK` response, indicating successful access to the resource.


# XML Signatures

XML Signatures are versatile, capable of signing an entire XML tree or specific elements within it. They can be applied to any XML Object, not just Response elements. Below are the key types of XML Signatures:

### Basic Structure of XML Signature
An XML Signature consists of essential elements as shown:

```xml
<Signature>
  <SignedInfo>
    <CanonicalizationMethod />
    <SignatureMethod />
    <Reference>
       <Transforms />
       <DigestMethod />
       <DigestValue />
    </Reference>
    ...
  </SignedInfo>
  <SignatureValue />
  <KeyInfo />
  <Object />
</Signature>
```

Each `Reference` element signifies a specific resource being signed, identifiable by the URI attribute.

### Types of XML Signatures

1. **Enveloped Signature**: This type of signature is a descendant of the resource it signs, meaning the signature is contained within the same XML structure as the signed content.

   Example:
   ```xml
   <samlp:Response ... ID="..." ... >
       ...
       <ds:Signature>
           <ds:SignedInfo>
               ...
               <ds:Reference URI="#...">
                   ...
               </ds:Reference>
           </ds:SignedInfo>
       </ds:Signature>
       ...
   </samlp:Response>
   ```

   In an enveloped signature, the `ds:Transform` element specifies that it's enveloped through the `enveloped-signature` algorithm.

2. **Enveloping Signature**: Contrasting with enveloped signatures, enveloping signatures wrap the resource being signed.

   Example:
   ```xml
   <ds:Signature>
       <ds:SignedInfo>
           ...
           <ds:Reference URI="#...">
               ...
           </ds:Reference>
       </ds:SignedInfo>
       <samlp:Response ... ID="..." ... >
           ...
       </samlp:Response>
   </ds:Signature>
   ```

3. **Detached Signature**: This type is separate from the content it signs. The signature and the content exist independently, but a link between the two is maintained.

   Example:
   ```xml
   <samlp:Response ... ID="..." ... >
       ...
   </samlp:Response>
   <ds:Signature>
       <ds:SignedInfo>
           ...
           <ds:Reference URI="#...">
               ...
           </ds:Reference>
       </ds:SignedInfo>
   </ds:Signature>
   ```

In conclusion, XML Signatures provide flexible ways to secure XML documents, with each type serving different structural and security needs.


## References
* [https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/)

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

arte 2024-01-10 10:22:19 +00:00			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-10 10:22:19 +00:00			`Other ways to support HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-10 10:22:19 +00:00			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
A 2024-02-09 07:14:36 +00:00			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
arte 2024-01-10 10:22:19 +00:00			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`


a 2024-02-04 16:10:29 +00:00			`# SAML Overview`
GitBook: [master] 480 pages and one asset modified 2021-06-07 16:48:00 +00:00
a 2024-02-06 14:12:47 +00:00			`Security Assertion Markup Language (SAML) enables identity providers (IdP) to be utilized for sending authorization credentials to service providers (SP), facilitating single sign-on (SSO). This approach simplifies the management of multiple logins by allowing a single set of credentials to be used across multiple websites. It leverages XML for standardized communication between IdPs and SPs, linking the authentication of user identity with service authorization.`
GitBook: [master] 480 pages and one asset modified 2021-06-07 16:48:00 +00:00
a 2024-02-06 14:12:47 +00:00			`## Comparison between SAML and OAuth`
GitBook: [master] 480 pages and one asset modified 2021-06-07 16:48:00 +00:00
a 2024-02-06 14:12:47 +00:00			`- SAML is tailored towards providing enterprises with greater control over SSO login security.`
			`- OAuth is designed to be more mobile-friendly, uses JSON, and is a collaborative effort from companies like Google and Twitter.`
GitBook: [master] 480 pages and one asset modified 2021-06-07 16:48:00 +00:00
a 2024-02-04 16:10:29 +00:00			`# SAML Authentication Flow`
GitBook: [master] 480 pages and one asset modified 2021-06-07 16:48:00 +00:00
a 2024-02-06 14:12:47 +00:00			`For further details check the full post from [https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/). This is a summary:`
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00
a 2024-02-04 16:10:29 +00:00			`The SAML authentication process involves several steps, as illustrated in the schema:`
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00
a 2024-02-04 16:10:29 +00:00			`![https://epi052.gitlab.io/notes-to-self/img/saml/saml-flow.jpg](https://epi052.gitlab.io/notes-to-self/img/saml/saml-flow.jpg)`

			`1. Resource Access Attempt: The user tries to access a protected resource.`
			`2. SAML Request Generation: The SP does not recognize the user and generates a SAML Request.`
			`3. Redirect to IdP: The user is redirected to the IdP, with the SAML Request passing through the user's browser.`
			`4. IdP Receives Request: The IdP receives the SAML Request.`
			`5. Authentication at IdP: The IdP authenticates the user.`
			`6. User Validation: The IdP validates the user's legitimacy to access the requested resource.`
			`7. SAML Response Creation: The IdP generates a SAML Response containing necessary assertions.`
			`8. Redirect to SP's ACS URL: The user is redirected to the SP's Assertion Consumer Service (ACS) URL.`
			`9. SAML Response Validation: The ACS validates the SAML Response.`
			`10. Resource Access Granted: Access to the initially requested resource is granted.`
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00
a 2024-02-04 16:10:29 +00:00			`# SAML Request Example`
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00
a 2024-02-04 16:10:29 +00:00			`Consider the scenario where a user requests access to a secure resource at [https://shibdemo-sp1.test.edu/secure/](https://shibdemo-sp1.test.edu/secure/). The SP identifies the lack of authentication and generates a SAML Request:`
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00			`GET /secure/ HTTP/1.1`
			`Host: shibdemo-sp1.test.edu`
a 2024-02-04 16:10:29 +00:00			`...`
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00			```

a 2024-02-04 16:10:29 +00:00			`The raw SAML Request looks like this:`
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00
a 2024-02-04 16:10:29 +00:00			```xml
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00			`<?xml version="1.0"?>`
a 2024-02-04 16:10:29 +00:00			`<samlp:AuthnRequest ...`
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00			`</samlp:AuthnRequest>`
			```

a 2024-02-04 16:10:29 +00:00			`Key elements of this request include:`
			`- AssertionConsumerServiceURL: Specifies where the IdP should send the SAML Response post-authentication.`
			`- Destination: The IdP's address to which the request is sent.`
			`- ProtocolBinding: Defines the transmission method of SAML protocol messages.`
			`- saml:Issuer: Identifies the entity that initiated the request.`
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00
a 2024-02-04 16:10:29 +00:00			Following the SAML Request generation, the SP responds with a 302 redirect, directing the browser to the IdP with the SAML Request encoded in the HTTP response's Location header. The RelayState parameter maintains the state information throughout the transaction, ensuring the SP recognizes the initial resource request upon receiving the SAML Response. The SAMLRequest parameter is a compressed and encoded version of the raw XML snippet, utilizing Deflate compression and base64 encoding.
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00

fix mess 2022-05-01 12:41:36 +00:00			`# SAML Response Example`
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00
a 2024-02-04 16:10:29 +00:00			`You can find a [full SAML response here](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/). The key components of the response include:`
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00
a 2024-02-04 16:10:29 +00:00			- ds:Signature: This section, an XML Signature, ensures the integrity and authenticity of the issuer of the assertion. The SAML response in the example contains two `ds:Signature` elements, one for the message and the other for the assertion.
			`- saml:Assertion: This part holds information about the user's identity and possibly other attributes.`
			`- saml:Subject: It specifies the principal subject of all the statements in the assertion.`
			`- saml:StatusCode: Represents the status of the operation in response to the corresponding request.`
			`- saml:Conditions: Details conditions like the validity timing of the Assertion and the specified Service Provider.`
			`- saml:AuthnStatement: Confirms that the IdP authenticated the subject of the Assertion.`
			`- saml:AttributeStatement: Contains attributes describing the subject of the Assertion.`
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00
a 2024-02-04 16:10:29 +00:00			Following the SAML Response, the process includes a 302 redirect from the IdP. This leads to a POST request to the Service Provider's Assertion Consumer Service (ACS) URL. The POST request includes `RelayState` and `SAMLResponse` parameters. The ACS is responsible for processing and validating the SAML Response.
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00
a 2024-02-04 16:10:29 +00:00			After the POST request is received and the SAML Response is validated, access is granted to the protected resource initially requested by the user. This is illustrated with a `GET` request to the `/secure/` endpoint and a `200 OK` response, indicating successful access to the resource.
GitBook: [master] one page modified 2021-06-09 17:02:14 +00:00
GitBook: [master] 480 pages and one asset modified 2021-06-07 16:48:00 +00:00
fix mess 2022-05-01 12:41:36 +00:00			`# XML Signatures`
GitBook: [master] 480 pages and one asset modified 2021-06-07 16:48:00 +00:00
a 2024-02-04 16:10:29 +00:00			`XML Signatures are versatile, capable of signing an entire XML tree or specific elements within it. They can be applied to any XML Object, not just Response elements. Below are the key types of XML Signatures:`
GitBook: [master] 480 pages and one asset modified 2021-06-07 16:48:00 +00:00
a 2024-02-04 16:10:29 +00:00			`### Basic Structure of XML Signature`
			`An XML Signature consists of essential elements as shown:`
GitBook: [master] 480 pages and one asset modified 2021-06-07 16:48:00 +00:00
a 2024-02-04 16:10:29 +00:00			```xml
GitBook: [master] 4 pages and 11 assets modified 2021-06-09 23:55:49 +00:00			`<Signature>`
			`<SignedInfo>`
			`<CanonicalizationMethod />`
			`<SignatureMethod />`
			`<Reference>`
			`<Transforms />`
			`<DigestMethod />`
			`<DigestValue />`
			`</Reference>`
a 2024-02-04 16:10:29 +00:00			`...`
GitBook: [master] 4 pages and 11 assets modified 2021-06-09 23:55:49 +00:00			`</SignedInfo>`
			`<SignatureValue />`
			`<KeyInfo />`
			`<Object />`
			`</Signature>`
			```

a 2024-02-04 16:10:29 +00:00			Each `Reference` element signifies a specific resource being signed, identifiable by the URI attribute.

			`### Types of XML Signatures`

			`1. Enveloped Signature: This type of signature is a descendant of the resource it signs, meaning the signature is contained within the same XML structure as the signed content.`

			`Example:`
			```xml
			`<samlp:Response ... ID="..." ... >`
			`...`
			`<ds:Signature>`
			`<ds:SignedInfo>`
			`...`
			`<ds:Reference URI="#...">`
			`...`
			`</ds:Reference>`
			`</ds:SignedInfo>`
			`</ds:Signature>`
			`...`
			`</samlp:Response>`
			```

			In an enveloped signature, the `ds:Transform` element specifies that it's enveloped through the `enveloped-signature` algorithm.

			`2. Enveloping Signature: Contrasting with enveloped signatures, enveloping signatures wrap the resource being signed.`

			`Example:`
			```xml
			`<ds:Signature>`
			`<ds:SignedInfo>`
			`...`
			`<ds:Reference URI="#...">`
			`...`
			`</ds:Reference>`
			`</ds:SignedInfo>`
			`<samlp:Response ... ID="..." ... >`
			`...`
			`</samlp:Response>`
			`</ds:Signature>`
			```

			`3. Detached Signature: This type is separate from the content it signs. The signature and the content exist independently, but a link between the two is maintained.`

			`Example:`
			```xml
			`<samlp:Response ... ID="..." ... >`
			`...`
			`</samlp:Response>`
			`<ds:Signature>`
			`<ds:SignedInfo>`
			`...`
			`<ds:Reference URI="#...">`
			`...`
			`</ds:Reference>`
			`</ds:SignedInfo>`
			`</ds:Signature>`
			```

			`In conclusion, XML Signatures provide flexible ways to secure XML documents, with each type serving different structural and security needs.`
GitBook: [master] 4 pages and 11 assets modified 2021-06-09 23:55:49 +00:00
GitBook: [master] 480 pages and one asset modified 2021-06-07 16:48:00 +00:00
a 2024-02-08 03:08:28 +00:00			`## References`
a 2024-02-04 16:10:29 +00:00			`* [https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

arte 2024-01-10 10:22:19 +00:00			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-10 10:22:19 +00:00			`Other ways to support HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-10 10:22:19 +00:00			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
A 2024-02-09 07:14:36 +00:00			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
arte 2024-01-10 10:22:19 +00:00			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`