IdP Initiated SAML and Man in the middle

Cantor, Scott cantor.2 at
Thu Jun 3 11:55:48 UTC 2021

On 6/3/21, 6:22 AM, "users on behalf of Stefan Rasmusson" <users-bounces at on behalf of rasmusson.stefan at> wrote:

>    But isnt this a problem in SP initiated as well? If the attacker can be between the browser and SP and the IdP
> and browser. It can intercept the response from the IdP and present it to SP. The response will correspond to
> the authnrequest send for the original user.

That depends on the implementation, and was true until V3.1 of the SP prior to the implementation of response correlation and the ability to block unsolicited responses. It remains true of 99% of SPs in the world.

Please use OASIS' saml-dev list if you want to carry on general SAML discussion.

-- Scott

More information about the users mailing list