Skip to content

Update: SAML Security Cheat Sheet #1876

New issue
New issue
Open
Open
Update: SAML Security Cheat Sheet#1876
Assignees
madaster97
Labels
ACK_OBTAINEDIssue acknowledged from core team so work can be done to fix it.
@madaster97

Description

@madaster97
madaster97
opened on Nov 2, 2025

What is missing or needs to be updated?

In the section discussing IdP Initiated SAML SSO, it says:

Unsolicited Response is inherently less secure by design due to the lack of CSRF protection.

And while the CSRF call out is fair, I think there is an issue with the article it links out to. It's main point is the following:

IdP-Initiated SSO is highly susceptible to Man-in-the-Middle attacks, where an attacker steals the SAML assertion

My point here: a MITM attack would be just as effective against an SP-Initiated login, since the attacker could just steal or edit the cookies that the SP would be using to tie a response to a session.

How should this be resolved?

Remove the reference to this article, and while we are here also change CSRF to login CSRF for clarity

My pitch is the following:

Unsolicited Response by design lacks login CSRF protection, since there is no step available for the SP to create a pre-login session.

Metadata

Metadata

Assignees

Labels

ACK_OBTAINEDIssue acknowledged from core team so work can be done to fix it.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions