College Website
Ok, so the website has "SAML 2.0 SP Metadata" which is security assertion markup language. Uploaded on the Ubuntu Apache server for our schools website. the SAML script also works with "Shib 1.3 IdP Metadata".
Basically, I want to know and understand the advantages and disadvantages of this type of authentication script.
It's easy to analyze error pages and find yourself at a page that gives you the option to log on as a administrator as well as giving you the Administrators user name, but not password of course. Isn't this a big security issue itself?
I have an example website that uses this type of user/password authentication, but I don't know if its against the rules to post.
The following image below shows the SSO process of communication between client to server.
UPDATE*
When I go to login with my correct username and password I analyze the different request being made by the client and server end. after I have completed the login I recieve these.
SimpleSAMLAuthToken=_5e88d57e8dc2049604e8425bec..etc
-there is always a underscore before the AuthToken
PHPSESSID=bef282065b2b15c615ad9c0f..etc
-phpsession Identification
Now I did find a link that allows me to access the login screen with the Admin's "SimpleSAMLAuthToken" but from there the password is needed to obtain the "phpsessionID"..
now when I was viewing the Request from the server I saw a /Router.php that displays different Post commands sent by the router I believe. This caught my attention.
I'm also able to view .css pages of the website, such as /retina.css, but all they contain is just the css script.
You should probably read these:
https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf
https://www.certezza.net/media/45053/saml_-_shibboleth_vulnerability_example.pdf
And if it all happens to go tits up, this one might come in handy too.
the sites using SAML2.0 so I think that this vulnerability has been patched. Although it will not hurt to do some reading on this.
For now I'm going to try and set up my own website. All I have is a basic laptop running windows 7..I can use Win 7 IIS or WAMP..either way I have a lot of learning to do I cant even get a basic page up and running without the server saying Forbidden you don't have access to view this page.