Federation and Empire

Presented at DEF CON 19 (2011), Aug. 6, 2011, noon (50 minutes).

Federated Identity is getting prevalent in corporate environments. True, solving cross domain access control to Web applications or services is a nagging issue. Today, unsatisfying traditional approaches based on duplicated user accounts or dangerous trust domain relationships are being replaced by neater solutions. One of them is getting more and more popular not only in academic but in corporate environments as well: Claims-based authorization relying on SAML tokens. This cross domain federated Web SSO solution allows applications or service providers to finely control their access while leaving the burden of users management to their authoritative domains. Authoritative domains also keep full control on what they disclose about their users: Very attractive. However most existing material explains developers how to leverage this technology while keeping them oblivious to the underlying protocols or (many) standards' complexity and intricacies. By taking a radically low level approach, API free, this talk is intended to security pen-testers or architects who have to cope with SAML based access control. The just necessary presentation of the standards involved will be given. Then the two main parts will focus on how to adapt existing tool set to be fully operational against SAML access control and to key aspects that need to be considered prior joining or creating such federation. Most of the points are implementation agnostic and can be applied to Shibboleth, SimpleSAMLPHP or Active Directory Federation Service for instance. As well, the presented tools are Burp Pro Extensions leveraging the Buby framework but can be easily be translated into everyone preferred toolset.


Presenters:

  • Emmanuel Bouillon - Security Researcher
    Emmanuel Bouillon has been working in the Information Security field for more than a decade. Most of these years were spent as an InfoSec expert within the French Atomic Energy Commission where he was in charge of a technical team dedicated to information security. Among its missions were incident handling, vulnerability assessment and penetration testing. Since 2009, Emmanuel Bouillon lives in the Netherlands working for an international organization as a Senior Information Assurance Scientist. His work is mainly focused on Cyber Defense issues. Emmanuel Bouillon has been a speaker in international conferences like PacSec, BlackHat, Hack.lu, #days, has written several articles in IT/Security magazines and was a teacher on network and system security in various French postgraduate schools. He holds a renewed ISO/CEI 27001:2005 Auditor certification and is credited for several responsibly disclosed vulnerabilities (CVE-2010-{0283,2229,2914,2941}, CVE-2011-{0001,...})

Links:

Similar Presentations: