undefined | Better HN

0 pointstptacek1y ago0 comments

I don't think artifact binding really addresses many of the issues people are talking about when they suggest OIDC is categorically more secure than SAML.

0 comments

ralala1y ago

OIDC is newer and many of the issues with SAML were addressed in the architecture. However I’m curious to hear which attack vectors you are thinking about.

tptacekOP1y ago

Most obviously, the precarity of XMLDSIG.

ralala1y ago

This is where artifact binding can greatly increase the security….

Browser sends artifact to RP, RP fetches assertion from IdP via HTTPs, afterwards verifies the signature.

Signature verification is not implemented correctly? The attacker still needs to break HTTPS…. And then you would have a big problem anyway.

1 more reply

j / k navigate · click thread line to collapse

0 pointstptacek1y ago0 comments

I don't think artifact binding really addresses many of the issues people are talking about when they suggest OIDC is categorically more secure than SAML.

0 comments

ralala1y ago

OIDC is newer and many of the issues with SAML were addressed in the architecture. However I’m curious to hear which attack vectors you are thinking about.

tptacekOP1y ago

Most obviously, the precarity of XMLDSIG.

ralala1y ago

This is where artifact binding can greatly increase the security….

Browser sends artifact to RP, RP fetches assertion from IdP via HTTPs, afterwards verifies the signature.

Signature verification is not implemented correctly? The attacker still needs to break HTTPS…. And then you would have a big problem anyway.

1 more reply

j / k navigate · click thread line to collapse