IdP Initiated SAML and Man in the middle

Stefan Rasmusson rasmusson.stefan at
Thu Jun 3 10:22:12 UTC 2021

Im researching the different problems with IdP initiated SAML and has come
upon many sources that mention the problem with man in the middle
I understand that it is a problem. If an attacker can be between the
browser and the SP when the response is sent, the attacker can take it and
present as his own.
But isnt this a problem in SP initiated as well? If the attacker can be
between the browser and SP and the IdP and browser. It can intercept the
response from the IdP and present it to SP. The response will correspond to
the authnrequest send for the original user.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list