SKILL: SAML SSO and Assertion Attacks — Signature Validation, Binding, and Trust Confusion

AI LOAD INSTRUCTION: Use this skill when the target uses SAML-based SSO and you need to validate assertion trust: signature coverage, audience and recipient checks, ACS handling, XML parsing weaknesses, and IdP/SP confusion.

1. WHEN TO LOAD THIS SKILL

Load when:

• Enterprise SSO uses SAML requests or responses

• You see SAMLRequest, SAMLResponse, XML assertions, or ACS endpoints

• Login flows involve an external IdP and browser POST/redirect binding

2. HIGH-VALUE MISCONFIGURATION CHECKS

Theme

What to Check

signature validation

unsigned assertion accepted, wrong node signed, signature wrapping

audience and recipient

weak Audience, Recipient, Destination, or ACS validation

issuer trust

wrong IdP accepted or multi-tenant issuer confusion

replay and freshness

missing InResponseTo, weak NotBefore / NotOnOrAfter enforcement

account mapping

email-only binding, case folding, unverified attributes

XML parser behavior

XXE-like parser issues or unsafe transforms around SAML documents

3. QUICK TRIAGE

• Capture one full login round trip.

• Inspect which XML nodes are signed and which attributes drive account binding.

• Compare SP-initiated and IdP-initiated flows.

• Test replay, altered attributes, and assertion placement confusion.

4. RELATED ROUTES

• XML parser attack depth: xxe xml external entity

• OAuth or OIDC SSO alternatives: oauth oidc misconfiguration

• Auth boundary issues after SSO: authbypass authentication flaws