Defcon19:Federation and Empire

Speaker: Emmanuel Bouillon Security Researcher

Federated Identity is getting prevalent in corporate environments. True, solving cross domain access control to Web applications or services is a nagging issue. Today, unsatisfying traditional approaches based on duplicated user accounts or dangerous trust domain relationships are being replaced by neater solutions. One of them is getting more and more popular not only in academic but in corporate environments as well: Claims-based authorization relying on SAML tokens. This cross domain federated Web SSO solution allows applications or service providers to finely control their access while leaving the burden of users management to their authoritative domains. Authoritative domains also keep full control on what they disclose about their users: Very attractive. However most existing material explains developers how to leverage this technology while keeping them oblivious to the underlying protocols or (many) standards' complexity and intricacies. By taking a radically low level approach, API free, this talk is intended to security pen-testers or architects who have to cope with SAML based access control. The just necessary presentation of the standards involved will be given. Then the two main parts will focus on how to adapt existing tool set to be fully operational against SAML access control and to key aspects that need to be considered prior joining or creating such federation. Most of the points are implementation agnostic and can be applied to Shibboleth, SimpleSAMLPHP or Active Directory Federation Service for instance. As well, the presented tools are Burp Pro Extensions leveraging the Buby framework but can be easily be translated into everyone preferred toolset.