Gross, of the IBM Zurich research lab, presents a security analysis for a portion (the browser/artifact profile) of the Security Assertion Markup Language (SAML) version 1.1. The SAML normative specifications, available from http://www.oasis-open.org, address countermeasures specific to several attacks, but lack a formal or semi-formal security analysis. The contribution of this paper is to fill this gap; a response to it, dated July 8, 2004, by the normative committee, is also relevant. Together, these two documents complement the normative specifications, providing a thoughtful analysis of one of the several SAML 1.1 implementation profiles.
The security analysis in this paper does not make use of formal methods. It follows, instead, a natural-language analytical approach, based on a close reading of the normative specifications. The paper uses a bare minimum of notation, and remains easily understandable at all times. It provides an essential description of the protocol, explaining any perceived weakness of the profile under scrutiny. On the basis of the weaknesses so identified, the paper proposes possible exploits.
The normative committee response to this paper acknowledges the value of the security analysis, and addresses specific points it raises with useful suggestions for implementers. The response also addresses how any possible weakness will be addressed by the next major version of the protocol specification. This security analysis is a valuable contribution toward improved engineering of the SAML protocol.