O'Reilly logo

SOA Security by Prasad A Chodavarapu, Ramarao Kanneganti

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Appendix D. Securing SAML assertions

In chapter 8, we introduced SAML assertions that can be used to communicate the findings of a security service. Since service endpoints depend on SAML assertions to identify users and make other security decisions, we should secure those assertions, too, in particular against the following threats:

  • Forgery and tampering An attacker may submit a completely forged assertion. Or, he may tamper with the information in an assertion created by the security service. In use case #2 we described in section 8.2.2, the source endpoint can add an AttributeStatement (or alter it) in the assertion returned by the security service to make itself a member of the administrators group.
  • Replaying An assertion can be captured ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required