IdP Initiated SAML and Man in the middle

Peter Schober peter.schober at
Thu Jun 3 12:22:28 UTC 2021

* Stefan Rasmusson <rasmusson.stefan at> [2021-06-03 12:23]:
> If the attacker can be between the browser and SP and the IdP and
> browser. It can intercept the response from the IdP and present it
> to SP. The response will correspond to the authnrequest send for the
> original user.

Well, but the Response (or Assertion) will likely be encrypted to the
SP (providing no information to the "person in the middle") and should
always be signed by the IDP (providing no opportunity to the "person
in the middle" to modify or replace the content of the Response).
If the attacker can only play netcat (intercepting messages and
passing them back and forth) but C.I.A. is all still intact, is that
something to be concerned about?

More information about the users mailing list