This workshop is to discuss the current status of the Trust & Identity Incubator activity Scalable testing for insecure SAML signature validation. The meeting takes place as a hybrid event during the GÉANT project symposium and via Zoom.
The SAML 2.0 protocol relies on XML signatures as the foundation of its security. It is notoriously complex and allows for many ways to create one or more signatures for any document, which means an implementation can easily fall victim to accepting not properly signed data. Even common R&E implementations like Shibboleth and SimpleSAMLphp have had issues here in the past. Besides these common products, which at least are periodically audited for such problems, a much larger risk is custom implementations that use different or even home grown libraries.
The goal of the activity is to deliver a (software or service) solution that assists identity federation operators in testing at scale of several core security aspects of SAML service providers within their federation. This topic includes the technical implementation of the use cases to test against. In addition it designs a concept to support operators to deploy the testsuite both technically and operationally.
