IdP Initiated SAML and Man in the middle
cantor.2 at osu.edu
Thu Jun 3 11:55:48 UTC 2021
On 6/3/21, 6:22 AM, "users on behalf of Stefan Rasmusson" <users-bounces at shibboleth.net on behalf of rasmusson.stefan at gmail.com> wrote:
> But isnt this a problem in SP initiated as well? If the attacker can be between the browser and SP and the IdP
> and browser. It can intercept the response from the IdP and present it to SP. The response will correspond to
> the authnrequest send for the original user.
That depends on the implementation, and was true until V3.1 of the SP prior to the implementation of response correlation and the ability to block unsolicited responses. It remains true of 99% of SPs in the world.
Please use OASIS' saml-dev list if you want to carry on general SAML discussion.
More information about the users