Everyone should test their SAML deployments for XML signature wrapping vulnerabilities. XML-DSig is ridiculously complex.
The basic idea is simple: Take a valid SAML assertion and embed it, signature and all, inside a forged SAML assertion. Test your ACS endpoint to make certain it is rejected by the service provider.
There's a bunch of things you need to test SAML implementations for, from comment handling to audience checking to SSRF. It's not an easy feature to get right and there's no one good source on all the issues.
My best advice for safely using SAML is: use a library that everyone uses and that is well tested. This is a place where I might stand up a separate service in a different language to get a popular SAML library rather than the shady one that is most convenient for your preferred platform.
I agree with all of this (no wonder since Thomas' opinions and mine largely come from the same place), but dark horses like Kelby Ludwig's canonicalization bug make me even happier if I can outsource that infrastructure to a vendor, perhaps exacerbated since I'm also an infrastructure-focused person.
I'm not all starry-eyed about Cognito, but I know the next libxmlsec1 0day isn't my problem. (Except of course that probably is because some clients don't have Cognito :-))
The basic idea is simple: Take a valid SAML assertion and embed it, signature and all, inside a forged SAML assertion. Test your ACS endpoint to make certain it is rejected by the service provider.
https://www.usenix.org/system/files/conference/usenixsecurit...