Yes, security of the identity store is important.

A friend at work identified a “feature” of SAML based Identity Federation systems. The weakness is likely possible in *any* SAML identity federation system. To explain, I’ll posit a Google Apps domain configured to use SSO with a company that uses Oracle’s Identity and Access Management products. In that product line, OIF is the federation server and OAM is the authorization server.

Basically, it works like this:

Someone types http://mail.example.com/ into her browser. Her browser and the OS resolve the hostname to an IP that’s on Google SSO servers, connects to it and passes a HTTP header saying which host it’s trying to connect with: “mail.example.com.”

Google knows now only that she’s trying to get into the Example company’s Google Apps account. It sets a session cookie in her browser and redirects her to our OIF server. At this point, it has no idea who she is.

Next thing she sees in the SSO Login Page (actually presented by OAM because access to OIF is controlled by OAM). Our user types in her username and password. OAM checks these with AD. If they are correct, it sets it’s own session cookie in her browser and then redirects her to OIF.

OIF sees that OAM authenticated her (sees the cookie) and retrieves whatever e-mail address is stored in her AD account or, if she’s visited recently, from it’s cache of her account from an earlier visit.

Next, OIF makes up a wee packet, encrypted with Google own public key. It contains the e-mail address and maybe some other fluff. OIF hands that to the browser along with a redirection URL which will cause it to load a special “page” at Google’s SSO system, delivering the encrypted packet.

Google’s SSO system sees the session cookie it set earlier, de-crypts the “packet” from OIF and sees the e-mail address OIF read from AD (or it’s own cache). Now Google knows that the browser with its session cookie is authorized access to the Google Apps account identified by that e-mail address.

Now, if you absorbed all that, you’ll see the “weakness.” Quotes because I’m not sure a stipulation or basic assumption about how the system works can fairly be called a weakness.

Anyone who can change the contents of the identity store (AD, in our case) can game the system – so to speak. And that’s not at all new. That’s *always* been true, for *any* system.

Leave a Reply

You must be logged in to post a comment.