O365 auth bypass

Tom Scavo trscavo at gmail.com
Wed Apr 27 18:41:45 EDT 2016

On Wed, Apr 27, 2016 at 6:26 PM, Ioannis Kakavas <ikakavas at noc.grnet.gr> wrote:
> On April 27, 2016 8:28:01 PM GMT+03:00, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
>>This is being misrepresented (and >dangerously so, IMHO)
> That's an overstatement IMHO.
>>as a SAML issue
>>because it gives people the idea that the middleware is enough to
>>prevent this kind of problem.
> It's not claimed that the middleware would/should solve the issue. The write up is addressed to a general security aware audience, not to saml experts, and as though some things are simplified.

I think the point is that the issue is not a SAML issue per se, yet
the article spends most of its time discussing the SAML protocol,
therefore implying (to the casual reader at least) that SAML is at
fault. In fact, OIDC clients are susceptible to this attack if they
narrowly focus on the 'sub' claim but fail to check the issuer. So the
problem is much more general than what might otherwise be perceived.


More information about the users mailing list