Skip to content

Clarify IdP-initiated SSO section: specify login CSRF, remove MITM re… #1876 #1882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Clarify IdP-initiated SSO section: specify login CSRF, remove MITM re… #1876 #1882

wants to merge 2 commits into from

Conversation

@0xgaurav
Copy link

@0xgaurav 0xgaurav commented Nov 8, 2025
edited by mackowski
Loading

Summary

This PR improves the "IdP Initiated SAML SSO" section of the SAML Security Cheat Sheet.

  • Removes an external reference incorrectly claiming IdP-initiated SSO is uniquely vulnerable to MITM.
  • Clarifies that the main design limitation is the lack of login CSRF protection, since the SP cannot establish a pre-login state to bind the response.

Rationale

This aligns the cheat sheet with accurate security reasoning while keeping the focus on real, design-based risks rather than general TLS issues.

Covers: #1876

jmanico
jmanico previously approved these changes Nov 8, 2025
View reviewed changes
@mackowski
Copy link
Collaborator

mackowski commented Nov 9, 2025

@0xgaurav looks good but linter check if failing, please fix that. Also please next time use our PR template for Pull Request because it contains a checklist that would for example allow you to find and fix this much earlier.

@mackowski
Copy link
Collaborator

mackowski commented Nov 9, 2025

Also I see that this issue is assigned to @madaster97

@mackowski mackowski requested a review from Copilot November 9, 2025 06:53
Copilot AI reviewed Nov 9, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR improves the documentation in the SAML Security Cheat Sheet by expanding and clarifying the security considerations for IdP-initiated SSO (Unsolicited Response). The changes provide more nuanced technical explanations of the security trade-offs involved.

  • Clarified that IdP-initiated SSO specifically lacks "login CSRF" protection and explained why
  • Added important context distinguishing MITM attack risks from login intent validation issues
  • Improved explanation of backward compatibility rationale for continued IdP-initiated SSO support

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@0xgaurav
Copy link
Author

0xgaurav commented Nov 9, 2025

Also I see that this issue is assigned to @madaster97

Thanks for letting me know! I didn’t realize this issue was already assigned — my apologies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jmanico jmanico jmanico left review comments

@kwwall kwwall Awaiting requested review from kwwall kwwall is a code owner

@mackowski mackowski Awaiting requested review from mackowski mackowski is a code owner

@szh szh Awaiting requested review from szh szh is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@0xgaurav @mackowski @jmanico