SAML security best practices
The Security Assertion Markup Language (SAML) is an open standard for exchanging authorization and authentication information. In this document, we'll discuss some best practices that ensure sensitive information within the SAML Assertion is transmitted securely between ADSelfService Plus and a service provider (SP).
- Update to the latest version of ADSelfService Plus: Update your ADSelfService Plus instance to the latest version.
- Validate message confidentiality and usage: Refrain from using SSL v2, SSL v3. and TLS v1 protocols. Implement TLS 1.2 to guarantee message confidentiality and integrity at the transport layer. It will help ward off attacks like:
- Eavesdropping
- Theft of User Authentication Information
- Theft of the Bearer Token
- Message Deletion
- Message Modification
- Man-in-the-middle
- Additional countermeasures: Ensure that you enforce:
- IP Filtering to counter:
- Stolen assertion
- Man-in-the-middle attacks
- OneTimeUse on the SAML Response to counter:
- Browser State Exposure
- Replay
- IP Filtering to counter:
IdP considerations
- Generate SAML tokens after validating identities with strong authentication options.
- Synchronize to a common Internet time source.
- Define levels of assurance for identity verification.
- Choose asymmetric identifiers for identity assertions over personally identifiable information.
- Sign the entire response element or each individual assertion.
- Implement SHA-256 algorithm if supported by the SP.
- To prevent attackers from changing the embedded username in the SAML assertion, incorporate a signature within their SAML responses to prevent hackers from tampering with the assertions.
<saml:Signature>
......
<saml:SignatureValue>
dXNlcjE=
</saml:SignatureValue>
......
</saml:Signature>
......
<saml:AttributeStatement>
<saml:Attribute Name="abc">
<saml:AttributeValue>
victim_user
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement> - To prevent web attacks like SQL injection, stored-XSS, and XXE, the SAML messages should be sanitized before being used.
Note: Validate X.509 Certificate for export restrictions, algorithm compatibility, and encryption strength.
ADSelfService Plus as SP considerations:
- If a proxy set up is used, make sure to add proxy server details in the connector tag (location: conf/server.xml file).
<Connector SSLEnabled="true" acceptCount="100" ....... proxyName="selfservice.com"proxyPort="443"/>
Need help setting up SSO for your organization? Contact us.
Thanks!
Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here
Self-service password management and single sign-on solution
ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. Ensure endpoint security with stringent authentication controls including biometrics and advanced password policy controls.
- Related Products