Enhancing SAML Security: Insights from the GEANT Trust & Identity Incubator

I had the opportunity to contribute to the GEANT Trust & Identity Incubator (T&I Incubator), where we tackled a pressing challenge: ensuring robust SAML signature validation across federations. This was a critical effort aimed at strengthening the security of Service Providers (SPs) within national research and education networks (NRENs).

Why SAML Signature Validation Matters

SAML (Security Assertion Markup Language) is foundational for identity federation, enabling secure communication between Identity Providers (IdPs) and SPs. However, misconfigurations or vulnerabilities in SPs can lead to security gaps. Proper signature validation ensures that SAML assertions are genuine, tamper-proof, and from trusted sources, which is essential for safeguarding sensitive academic and research data.

Project Goals and Use Cases

Our goal was to develop a scalable software solution to test SAML deployments’ core security aspects. We targeted several use cases, including:

  • Self-testing by SPs preparing for production deployment.
  • Automated testing during SP onboarding or periodic reviews by federation operators (FedOps)

Technical Innovations and Tools

The project leveraged the Nuclei vulnerability scanner, known for its extensive library and automation capabilities. Custom templates were created to simulate various test scenarios, such as invalid or missing signatures. Key highlights included:

  • Test IdP: A SimpleSAMLphp instance with a custom “conformance” module for flexible test configurations.
  • Deployment Flexibility: The solution supported multiple SP implementations, including SimpleSAMLphp, Keycloak, and Shibboleth.

Delivering Impact

The sprint demo showcased our progress, highlighting successful validation tests against both compliant and non-compliant SP setups. By enabling proactive security checks, the project promises to help NRENs maintain a trustworthy identity federation ecosystem.

The final demo is available here: SAML Signature Validation demo

The SimpleSAMLphp module is available here: https://github.com/cicnavi/simplesamlphp-module-conformance

Reflections and Next Steps

Participating in the T&I Incubator reinforced the importance of collaboration between technical, operational, and legal stakeholders. As we refine the solution, the focus will be on streamlining deployment and extending support to a broader range of SPs.

This project was a rewarding journey into the complexities of identity federation security. It’s a step forward in fostering trust and resilience in global research and education networks.