Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Security analysis of the SAML single sign-on browser/artifact profile
Gross T.  Computer security applications (Proceedings of the 19th Annual Computer Security Applications Conference, Dec 8-12, 2003)2982003.Type:Proceedings
Date Reviewed: Feb 3 2005

Gross, of the IBM Zurich research lab, presents a security analysis for a portion (the browser/artifact profile) of the Security Assertion Markup Language (SAML) version 1.1. The SAML normative specifications, available from, address countermeasures specific to several attacks, but lack a formal or semi-formal security analysis. The contribution of this paper is to fill this gap; a response to it, dated July 8, 2004, by the normative committee, is also relevant. Together, these two documents complement the normative specifications, providing a thoughtful analysis of one of the several SAML 1.1 implementation profiles.

The security analysis in this paper does not make use of formal methods. It follows, instead, a natural-language analytical approach, based on a close reading of the normative specifications. The paper uses a bare minimum of notation, and remains easily understandable at all times. It provides an essential description of the protocol, explaining any perceived weakness of the profile under scrutiny. On the basis of the weaknesses so identified, the paper proposes possible exploits.

The normative committee response to this paper acknowledges the value of the security analysis, and addresses specific points it raises with useful suggestions for implementers. The response also addresses how any possible weakness will be addressed by the next major version of the protocol specification. This security analysis is a valuable contribution toward improved engineering of the SAML protocol.

Reviewer:  A. Squassabia Review #: CR130763 (0510-1136)
Bookmark and Share
  Reviewer Selected
Featured Reviewer
Would you recommend this review?
Other reviews under "Cryptographic Controls": Date
Cryptography and competition policy: issues with ‚Äútrusted computing”
Anderson R.  Principles of distributed computing (Proceedings of the twenty-second annual symposium, Boston, Massachusetts, Jul 13-16, 2003)3-10, 2003. Type: Proceedings
Jan 5 2004
Adaptive cryptographic access control
Kayem A., Akl S., Martin P., Springer Publishing Company, Incorporated, New York, NY, 2010.  138, Type: Book (978-1-441966-54-4)
Feb 10 2012
An asynchronous protocol for distributed computation of RSA inverses and its applications
Cachin C.  Principles of distributed computing (Proceedings of the twenty-second annual symposium, Boston, Massachusetts, Jul 13-16, 2003)153-162, 2003. Type: Proceedings
Mar 4 2004

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 2004™
Terms of Use
| Privacy Policy