Add SAML authentication and challenge

[jsuleder]

Hi!
I just read about pentesting and breaking SAML in e.g. On Breaking SAML: Be Whoever You Want to Be and thought about how nice it would be to have a challenge about e.g. signature wrapping in this awesome VWA. There are multiple free hosted test Identity Providers available such as TESTSHIB or OpenIdP which enable SAML assertions to be generated for authentication without increasing the complexity of a local installation of the juice shop unnecessarily.

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[agrawalarpit14]

Hi @bkimminich @jsuleder I have been reading about SAML. It appears to me that for implementing it (node modules like passport-saml exist), but I wasn't able to find any good resource online. Please point me to something if you know it already?

Further, the link in the description for TESTSHIB is dead and OpenIdP can be used anymore.(The use of the OpenIdP is now restricted to UNINETT, a state owned company responsible for Norway's National Research and Education Network).

[bkimminich]

Needs solution design before implementing as this is a quite "enterprisey" feature. Also: Who could the identity provider be? Would have to be something open/free obviously.

[github-actions]

This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs.