Skip to content
Snippets Groups Projects
Commit 2b98588e authored by Pavel Břoušek's avatar Pavel Břoušek
Browse files

docs: background

parent 79b3ab6e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 34 additions and 0 deletions
README.md
+ 34
0
View file @ 2b98588e
......@@ -3,6 +3,40 @@
[nuclei](https://docs.projectdiscovery.io/tools/nuclei/overview) templates
for testing SAML service providers.
## Background
The goal of these templates is to test SAML authentication between a SP (the target) and a conformance IdP (see below).
There are two ways to start the authentication:
1. IdP-initiated, starts by redirecting to an endpoint of the conformance IdP
1. SP-initiated (the most common), which usually starts at the SP by clicking a "login" button, accessing a protected page etc.
The IdP-initiated login is easier to automate, because the endpoint is known, but this produces *unsolicited* authentication responses, which some SPs might reject.
SP-initiated login can have many forms, but some of them are more or less standardized:
### Service Provider Request Initiation Protocol
[Service Provider Request Initiation Protocol](https://docs.oasis-open.org/security/saml/Post2.0/sstc-request-initiation.html) can be used to start login with a specific IdP (it is as easy as with IdP-initiated login)
> there are about 50 universally looking paths to this endpoint in eduGAIN, most of them are Shibboleth SPs (SimpleSAMLphp does not have this, neither does SATOSA; Keycloak embeds a realm in the URLs so they cannot be guessed)
### Discovery response endpoint
[Identity Provider Discovery Service](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf) response endpoint can be used to pretend that a user has selected a specific IdP (unsolicited message to this endpoint),
that should also trigger an SP-initiated login.
> there are about 90 universally looking paths to this endpoint in eduGAIN - Shibboleth SPs, SimpleSAMLphp, SATOSA and more
### SP-specific login page/button
If neither of these previously mentioned endpoints are available, we can try to find a login page and click a login button, for example:
* a generic template which will assume that the button is on the home page ("/") and it has the words "log in" or "sign in" on it, and it is a link which will directly select the conformance IdP
* this can be further extended to be able to bypass well-known discovery services by performing the selection of conformance IdP on the DS (only applicable if the conformance IdP is going to be in the DS)
* a SP-specific template for SP-specific behavior
## Requirements
### nuclei
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment