D. Securing SAML assertions

In chapter 8, we introduced SAML assertions that can be used to communicate the findings of a security service. Since service endpoints depend on SAML assertions to identify users and make other security decisions, we should secure those assertions, too, in particular against the following threats:

• Forgery and tampering An attacker may submit a completely forged assertion. Or, he may tamper with the information in an assertion created by the security service. In use case #2 we described in section 8.2.2, the source endpoint can add an AttributeStatement (or alter it) in the assertion returned by the security service to make itself a member of the administrators group.

• Replaying An assertion can be captured and reused by an attacker. The attacker might replay the original message that has an assertion in it as is, or reuse the captured assertion as part of a different message.

• Privacy The user’s privacy may be violated if an assertion includes more details than a service endpoint really needs or if a MIM grabs the details in the assertion by eavesdropping.