IdP Initiated SAML and Man in the middle

Stefan Rasmusson rasmusson.stefan at
Fri Jun 4 19:06:18 UTC 2021

> Please use OASIS' saml-dev list if you want to carry on general SAML
> discussion.

That is very true. This is not related to shiboleth but SAML in general so
I will ask my question there.

Out of curiosity Scott, you mentioned response correlation and the ability
to block unsolicited responses as mitigations for man in the middle for SP
initiated SSO. How do these stop that problem?


On Thu, Jun 3, 2021 at 2:22 PM Peter Schober <peter.schober at>

> * Stefan Rasmusson <rasmusson.stefan at> [2021-06-03 12:23]:
> > If the attacker can be between the browser and SP and the IdP and
> > browser. It can intercept the response from the IdP and present it
> > to SP. The response will correspond to the authnrequest send for the
> > original user.
> Well, but the Response (or Assertion) will likely be encrypted to the
> SP (providing no information to the "person in the middle") and should
> always be signed by the IDP (providing no opportunity to the "person
> in the middle" to modify or replace the content of the Response).
> If the attacker can only play netcat (intercepting messages and
> passing them back and forth) but C.I.A. is all still intact, is that
> something to be concerned about?
> -peter
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list