+ Start a Discussion
OneMeggittOneMeggitt 

SAML Security Issues?

Anyone had any experience with trying to validate the security of the Salesforce SAML?  

 

http://www.youtube.com/watch?v=7FP3GXWwnhw

 

Minute 17.50 asserts that salesforce has a security vulnerability to XML signature wrapping attacks if SAML is used for signing in.  I've tried to ask Salesforce about the potential concerns, but I haven't heard anything back in a couple of days.

 

We are keen to deploy SAML based authentication in our org to address other IT concerns. 

Has anyone out there used SAML and taken a deep dive to ensure that the SFDC implementation of SAML has been secured since this conference on youtube?

 

 

BrendanOBrendanO

Salesforce.com was immune to the signature wrapping attacked described approximately one year prior to that being presented.  The Salesforce.com security team worked closely with the researcher and discovered variants of the original attack that applied to other open source SAML implementations.  All of this information was responsibly disclosed and addressed well before being presented publicly.