Sign or not to Sign SAML AuthnRequest

Written By Nat Gebremariam

Unsigned AuthnRequest, what?

A couple of months ago, I ran into a SAML IdP that does not require AuthnRequest signature nor verifies the signature if one was signed. It was initially alarming — how would an IdP possibly know it's sending identity information to the right service provider unless the source of the SAML AuthnRequest is verified? 

Hello, Man-In-The-Middle Attack!

It was a false alarm, and the reason was unexpected. Let us take a step back and revisit SAML AuthnRequest details first.

The unique message sent by the Service Provider to initiate the SAML authentication is known as the SAML Authentication Request or just AuthnRequest. It contains information about the application making the request and a callback URL to receive identity information from the IdP. That callback URL is called Assertion Consumer Service (ACS). After successful authentication, the IdP will respond with information about the user's identity (SAML Response) to the ACS. 

One thing is essential in the SAML authentication flow: The IdP has to sign the SAML Response or the attribute assertions within the Response so that the SP can verify the signature and have full confidence that information about the user has not been tampered with in its path. Furthermore, it is typically expected of the IdP to guarantee that the right SP receives the SAML Response. 

A middle man/woman intercepts the SAML AuthnRequest, changes the Assertion Consumer Service (ACS) URL to his/her liking, and sends it back to the IdP. The IdP not requiring nor verifying signatures would trust the tampered request and send over attribute assertions to the hacker. 

So what is the catch?

Well, the IdP happens to have an ACS URL whitelist specifically configured for the Service Provider. The IdP will look at the ACS URL provided in the SAML AuthnRequest, and if it is not on the list, the request gets rejected. 

It was that simple! 

ACS Check.png

Takeaway

So, yes, It is faster to check a whitelist than to maintain a signature certificate and verify a signature, but to sign or not to sign AuthnRequest is the relevant question:

  • Requiring AuthnRequest and verifying AuthnRequest Signature is unnecessary if the IdP explicitly cross-checks the provided AuthnRequest ACS against a Service Provider's dedicated ACS list.

  • If IdP does not have ACS Whitelist and accepts dynamic Assertion Consumer Services, then the IdP has to require and verify AuthnRequest Signature at all times. Otherwise, the IdP will be vulnerable to a Man-In-The-Middle (MITM) attack.

Nat Gebremariam https://oid.natgm.com
Next

Passwordless for Government Services