Skip to content

Clarify IdP-initiated SSO section: specify login CSRF, remove MITM re… #1876 #1882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Clarify IdP-initiated SSO section: specify login CSRF, remove MITM re… #1876 #1882

wants to merge 1 commit into from
+1 −1

Conversation

@0xgaurav
Copy link
Contributor

@0xgaurav 0xgaurav commented Nov 8, 2025
edited by mackowski
Loading

Summary

This PR improves the "IdP Initiated SAML SSO" section of the SAML Security Cheat Sheet.

  • Removes an external reference incorrectly claiming IdP-initiated SSO is uniquely vulnerable to MITM.
  • Clarifies that the main design limitation is the lack of login CSRF protection, since the SP cannot establish a pre-login state to bind the response.

Rationale

This aligns the cheat sheet with accurate security reasoning while keeping the focus on real, design-based risks rather than general TLS issues.

Covers: #1876

jmanico
jmanico previously approved these changes Nov 8, 2025
View reviewed changes
@mackowski
Copy link
Collaborator

mackowski commented Nov 9, 2025

@0xgaurav looks good but linter check if failing, please fix that. Also please next time use our PR template for Pull Request because it contains a checklist that would for example allow you to find and fix this much earlier.

@mackowski
Copy link
Collaborator

mackowski commented Nov 9, 2025

Also I see that this issue is assigned to @madaster97

@mackowski mackowski requested a review from Copilot November 9, 2025 06:53
Copilot AI reviewed Nov 9, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR improves the documentation in the SAML Security Cheat Sheet by expanding and clarifying the security considerations for IdP-initiated SSO (Unsolicited Response). The changes provide more nuanced technical explanations of the security trade-offs involved.

  • Clarified that IdP-initiated SSO specifically lacks "login CSRF" protection and explained why
  • Added important context distinguishing MITM attack risks from login intent validation issues
  • Improved explanation of backward compatibility rationale for continued IdP-initiated SSO support

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@0xgaurav
Copy link
Contributor Author

0xgaurav commented Nov 9, 2025

Also I see that this issue is assigned to @madaster97

Thanks for letting me know! I didn’t realize this issue was already assigned — my apologies.

@madaster97
Copy link

madaster97 commented Nov 13, 2025

I'm happy for @0xgaurav 's PR to go through!

madaster97
madaster97 reviewed Nov 13, 2025
View reviewed changes
cheatsheets/SAML_Security_Cheat_Sheet.md
## Unsolicited Response (ie. IdP Initiated SSO) Considerations for Service Providers

Unsolicited Response is inherently [less secure](https://www.identityserver.com/articles/the-dangers-of-saml-idp-initiated-sso) by design due to the lack of [CSRF](https://owasp.org/www-community/attacks/csrf) protection. However, it is supported by many due to the backwards compatibility feature of SAML 1.1. The general security recommendation is to not support this type of authentication, but if it must be enabled, the following steps (in addition to everything mentioned above) should help you secure this flow:
Unsolicited Response is inherently less secure by design due to the lack of **login [CSRF](https://owasp.org/www-community/attacks/csrf)** protection. This limitation arises because the Service Provider (SP) has no opportunity to create a pre-login session or verify that the authentication request was intentionally initiated by the user.
Copy link

@madaster97 madaster97 Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we use this specific link / section?
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#possible-csrf-vulnerabilities-in-login-forms

Copy link
Contributor Author

@0xgaurav 0xgaurav Nov 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion! Yes, that link fits better and points directly to the relevant CSRF section. I’ll update the reference to use this specific section from the OWASP CSRF Prevention Cheat Sheet.

@mackowski
Copy link
Collaborator

mackowski commented Nov 14, 2025

Thanks @madaster97 and thanks for PR review!

@0xgaurav 0xgaurav closed this Nov 15, 2025
@0xgaurav 0xgaurav reopened this Nov 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jmanico jmanico jmanico left review comments

@kwwall kwwall Awaiting requested review from kwwall kwwall is a code owner

@mackowski mackowski Awaiting requested review from mackowski mackowski is a code owner

@szh szh Awaiting requested review from szh szh is a code owner

+2 more reviewers

@madaster97 madaster97 madaster97 left review comments

@andrzejsydor andrzejsydor andrzejsydor approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@0xgaurav @mackowski @madaster97 @jmanico @andrzejsydor