SAML Security Considerations

The SAML specifications document contains an excellent discussion of the security concerns and considerations relating to the SAML protocol and profiles. The document is available on the OASIS Web site.

This chapter discusses how to configure the SAML system to generate and validate XML digital signatures. Digital signatures allow the receiving site to validate that the source of the SAML assertion really was the referring site, and that the contents of the SAML assertion were not changed in transit. Also discussed is how to configure SAML to use SSL with client authentication on the SAML SOAP back-channel. The inclusion of SSL with client authentication means that both the server receiving the incoming request and the client making the request must present certificates validating their identity. The advantage for SAML in this scenario is that the source of a SAML assertion can be validated by the SSL layer, and does not necessarily need to contain an XML digital signature.

This chapter is divided into the following sections: