SAML Testing with SSOCheck

Watch the video to see SSOCheck in action

Do you think SAML is secure?
You are probably right as it is a well proven industry standard and many people were involved in creating the specification.

But that doesn’t mean that YOUR SAML deployment with YOUR federation partner is secure.

Consider the complexity of the SAML specification and the technology involved. XML signature itself is not easy to understand. It is basically not enough to say:
“We are using SAML that is secure”.
During several projects we saw many and still see many “SAML SSO deployments” that were not very SAML standard conform and even had major security flaws.

What do you think if someone could easily construct a SAML message that is accepted by your Service Provider? In that case it is easy for an attacker to steal your identity and your data. Actually the attacker not even need to know your password ….

Many service provider (not only small ones) rely on their own implementation leveraging some frameworks, SDK or other tool kits. Under this circumstances there is a considerable risk for some kind of implementation flaw. But even when proven SAML software is deployed misconfiguration ans misinterpretation might lead to a false sense of security.

SSOCheck was introduced to help you testing your federations during implementation and on an ongoing basis as long as your SAML federation is active.

SSOCheck is aligned with the “error testing” as described in “SAML 2.0 Full Matrix Test Event” described in http://kantarainitiative.org/confluence/display/certification/SAML+2.0+Full+Matrix+Test+Event and “Test Plan for Kantara Initiative Test Event 5 Test Criteria 6 SAML 2.0”

Quoting from that source:

“The SAML standard continues to be one of the most widely adopted identity management standards in the world. With industries from around the globe adopting SAML, the critical identity information that flows over SAML represents millions of identities each year. To ensure that identity information is securely handled, Kantara initiative full-matrix interoperability certification is mission critical for these industries.”

Furthermore the SSOCheck the follows the recommendations in “Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0”.

Are you sure that the XML signature, as the technical foundation of verifying the trust relationship, is correctly verified? Is it checked at all?

SSOCheck implements several advanced XML Signature Wrapping tests, which pose another category of implementation risk.

What exactly is SSOCheck?

  • SSOCheck API is an interface that helps you build your own test procedures
  • SSOCheck Tool is a Firefox Plugin which leverages the API to run tests out of the box
  • SSOCheck Monitoring is our offer to monitor your SAML SSO process on an ongoing basis. As a proof for the continuous testing we award the SSOCheck Seal

SSOCheck Tool is now deprecated. Please contact us for information.