Risks of the passport single signon protocol
Proceedings of the 9th international World Wide Web conference on Computer networks : the international journal of computer and telecommunications netowrking
Security Analysis of the SAML Single Sign-on Browser/Artifact Profile
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Analysis of Liberty Single-Sign-on with Enabled Clients
IEEE Internet Computing
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
The Emperor's New Security Indicators
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Extended Abstract: Provable-Security Analysis of Authenticated Encryption in Kerberos
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Dynamic pharming attacks and locked same-origin policies for web browsers
Proceedings of the 14th ACM conference on Computer and communications security
Provably secure browser-based user-aware mutual authentication over TLS
Proceedings of the 2008 ACM symposium on Information, computer and communications security
WSKE: web server key enabled cookies
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Cryptographically sound security proofs for basic and public-key kerberos
ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security
SSL/TLS session-aware user authentication using a GAA bootstrapped key
WISTP'11 Proceedings of the 5th IFIP WG 11.2 international conference on Information security theory and practice: security and privacy of mobile devices in wireless communication
Exploiting proxy-based federated identity management in wireless roaming access
TrustBus'11 Proceedings of the 8th international conference on Trust, privacy and security in digital business
The power of recognition: secure single sign-on using TLS channel bindings
Proceedings of the 7th ACM workshop on Digital identity management
Options for integrating eID and SAML
Proceedings of the 2013 ACM workshop on Digital identity management
Hi-index | 0.00 |
Based on recently proposed attack scenarios, we show that SAML assertions and SAML artifacts are still vulnerable to real-world attacks on browser-based implementations. We propose two different bindings of SAML assertions and SAML artifacts to the TLS security layer and show that these bindings protect against all known attacks. The two bindings are based on TLS client certificates, and on a variant of the well-known Same Origin Policy of browsers.