Sign or not to Sign SAML AuthnRequest
A couple of months ago, I ran into a SAML IdP that does not require AuthnRequest signature nor verifies the signature if one was signed. It was initially alarming - how would an IdP possibly know it's sending identity information to the right service provider unless the source of the SAML AuthnRequest is verified?
Hello, Man-In-The-Middle Attack!
Passwordless for Government Services
Passwords are the root cause of data breaches. According to Verizon's 2020 Data Breach Investigation Report, 80% of web application breaches happened due to stolen or brute-forced credentials.
Start thinking Government Services without passwords.