SAML

From MgmtWiki

Revision as of 16:30, 17 June 2024 by Tom (talk | contribs) (→‎Problems)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

Contents

1 Full Title or Meme
2 Problems
3 Vulernabilities
4 References

Full Title or Meme

Security Assertion Markup Language is a collection of standards used in Identifier Management

Problems

There are two terms that SAML defined that defy logical analysis but have propagated misunderstanding to this day.

Identity - the use in SAML lead to a conflation of the idea of a digital Identifier with a person's identity which it is surely is not.
Claim - as defined in SAML the term is not problematic, but is use in Microsoft implementations has lead it to be conflated with Attribute.

Vulernabilities

The "Golden SAML" is caused by the creation of an Identifier token that allowed access across multiple applications.^[1]

References

↑ Shaked Reiner, Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps CyberArk (2017-11-21) https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=SAML&oldid=21108"