In many cases a SAML Federation project ends with “single sign on works!“. After fighting with attributes, certificates and other configuration, the project manager is happy with that success message.
But… are you sure your federation partner deserves the trust? In many projects I have seen misconfiguration, misinterpretations of the SAML standard, flawed implementations.
So, be honest, are you testing your service provider? Simple tests like omitting the signature of the SAML assertion? Signing the assertion with a non trusted key? Sophisticated signature wrapping attacks to get down to the nitty-gritty?
Try our SSOCheck tool, API or our montoring and certification service and make the test. Up to 80 tests are available. Download SSOCheck Tool and get started.