Saml Sso Assertion Attacks
Test enterprise SAML SSO trust boundaries—signatures, ACS, audience rules, and assertion wrapping—before you ship B2B login.
Overview
SAML SSO assertion attacks is an agent skill for the Ship phase that structures authorized testing of SAML signature validation, bindings, and assertion trust mistakes.
Install
npx skills add https://github.com/yaklang/hack-skills --skill saml-sso-assertion-attacksWhat is this skill?
- High-value misconfiguration table: signature validation, audience/recipient, issuer trust, replay
- Quick triage: capture full login round trip and inspect signed XML nodes
- Covers assertion wrapping, unsigned assertion acceptance, and ACS handling flaws
- Account mapping risks: email-only binding, case folding, unverified attributes
- XML parser and transform weaknesses around SAML documents
- 6-theme high-value misconfiguration table in playbook
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your app uses SAML enterprise SSO and you need a disciplined checklist for assertion trust—not ad-hoc XML tweaking.
Who is it for?
Solo builders launching B2B products with SAMLRequest/SAMLResponse flows and external IdPs who need expert SSO review prompts.
Skip if: Pure OAuth/OIDC-only apps, marketing-site logins without SAML artifacts, or testing without customer authorization.
When should I use this skill?
Use when testing signature validation, assertion wrapping, audience restrictions, ACS handling, XML trust boundaries, and enterprise SSO flaws.
What do I get? / Deliverables
You produce triage against signature coverage, ACS validation, replay windows, and attribute mapping flaws with concrete misconfiguration themes to verify.
- SSO triage notes against signature, replay, ACS, and attribute-mapping checks
Recommended Skills
Journey fit
Ship security is the right shelf for pre-launch SSO hardening on apps that already integrate an IdP. Security captures assertion signature coverage, replay controls, and XML trust mistakes distinct from everyday OAuth API integration.
How it compares
Assertion-trust playbook for SAML XML—not a substitute for IdP vendor consoles or automated DAST alone.
Common Questions / FAQ
Who is saml-sso-assertion-attacks for?
Developers and security reviewers responsible for enterprise SSO integrations who need SAML-specific attack and misconfiguration coverage.
When should I use saml-sso-assertion-attacks?
During Ship security when you see SAMLRequest, SAMLResponse, ACS endpoints, or browser POST/redirect IdP login before production SSO go-live.
Is saml-sso-assertion-attacks safe to install?
It documents offensive SSO test themes for scoped engagements; review the Security Audits panel on this page and only apply techniques with explicit permission.
SKILL.md
READMESKILL.md - Saml Sso Assertion Attacks
# SKILL: SAML SSO and Assertion Attacks — Signature Validation, Binding, and Trust Confusion > **AI LOAD INSTRUCTION**: Use this skill when the target uses SAML-based SSO and you need to validate assertion trust: signature coverage, audience and recipient checks, ACS handling, XML parsing weaknesses, and IdP/SP confusion. ## 1. WHEN TO LOAD THIS SKILL Load when: - Enterprise SSO uses SAML requests or responses - You see `SAMLRequest`, `SAMLResponse`, XML assertions, or ACS endpoints - Login flows involve an external IdP and browser POST/redirect binding ## 2. HIGH-VALUE MISCONFIGURATION CHECKS | Theme | What to Check | |---|---| | signature validation | unsigned assertion accepted, wrong node signed, signature wrapping | | audience and recipient | weak `Audience`, `Recipient`, `Destination`, or ACS validation | | issuer trust | wrong IdP accepted or multi-tenant issuer confusion | | replay and freshness | missing `InResponseTo`, weak `NotBefore` / `NotOnOrAfter` enforcement | | account mapping | email-only binding, case folding, unverified attributes | | XML parser behavior | XXE-like parser issues or unsafe transforms around SAML documents | ## 3. QUICK TRIAGE 1. Capture one full login round trip. 2. Inspect which XML nodes are signed and which attributes drive account binding. 3. Compare SP-initiated and IdP-initiated flows. 4. Test replay, altered attributes, and assertion placement confusion. ## 4. RELATED ROUTES - XML parser attack depth: [xxe xml external entity](../xxe-xml-external-entity/SKILL.md) - OAuth or OIDC SSO alternatives: [oauth oidc misconfiguration](../oauth-oidc-misconfiguration/SKILL.md) - Auth boundary issues after SSO: [authbypass authentication flaws](../authbypass-authentication-flaws/SKILL.md)