Cheat sheet and tricks for SAML.
Test with SAMLRaider extension in Burp Suite
❗ Use private windows (or Incognito mode) to test!
ADFS Pass Through
- Start Burp Suite.
- Click on tab Proxy->Proxy settings or click on Settings->Tools->Proxy.
- Under TLS pass through, click on Add.
- Add your ADFS server (like adfs.domain.com).
Intercept client SAML requests
- Click on tab Proxy->Proxy settings or click on Settings->Tools->Proxy.
- Under Request interception rules, click on Add.
- Boolean operator: And
- Match type: Body
- Match relationship: Matches
- Match condition: SAMLResponse
Use SAMLRaider
- Intercept requests
- When intercepting the POST request containing “SAMLResponse=”, click on the upper right corner to select the SAMLRaider extension (Pretty, Raw, Hex, SAML Raider).
- Select one XSW attack (from 1 to 8).
- If applicable, click the Match and Replace button. Click on the + button to add as many as needed.
- Click Apply XSW.
- Forward the request.
- Repeat for all XSW attacks.
Identity Providers using SAML
List not exhaustive.
- Active Directory Federation Services (ADFS)
- ADFS provide users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access-control authorization model to maintain application security and to implement federated identity.
- Claims-based authentication involves authenticating a user based on a set of claims about that user’s identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims-based authentication. It is part of the Active Directory Services.
- Cyberark idaptive (Cyberark)