Last year our team was selected to conduct a penetration test of the identity provider (IdP) of WAYF – the Danish Identity Federation for Research and Higher Education. Their IdP supports single sign-on based on SAML and OpenID Connect, both fields in which we have in-depth expertise and many years of experience.
In the following, we summarize the findings of this penetration test and provide the full penetration test report to the public.
WAYF Identity Provider
WAYF (Where Are You From) is Denmark's Identity Federation for Research and Higher Education since 2008. Today, WAYF has roughly 22 million logins every year from 1.6 million unique identities. The ecosystem consists of around 60 identity providers (IdPs) (e.g., Danish universities and the Danish national ID for citizens and employees) and more than 550 service providers (SPs). 
WAYF’s identity provider (IdP) serves as an intermediary entity in the federation ecosystem. All service providers (SPs) in the WAYF ecosystem trust WAYF’s IdP and utilize it for delegated user authentication. When a user wants to log in at a SP they are redirected to WAYF’s IdP. Afterwards, WAYF’s IdP is responsible to authenticate the user using the IdP of the organization the user is affiliated with. WAYF’s IdP acts as a SP towards the organizations’ IdPs. When it receives a response from an organization’s IdP it needs to verify the response and issue a new response to the initial request to the SP. For this process, WAYF’s IdP supports both SAML and OpenID Connect; it is capable of receiving, verifying, and issuing both SAML assertions and OpenID Connect ID tokens. An example of the protocol flow is depicted in Figure 1.
WAYF’s IdP is based on the open-source library wayfhybrid developed by WAYF itself.
Scope of the penetration test – A high level overview of the tested SAML and OIDC protocol flow. (Figure 1)
Results of the Penetration Test
During the penetration test, we identified one weakness classified as Critical and two weaknesses classified as Medium. Additionally, we gave four recommendations to further improve the security of WAYF’s IdP and also reported two bugs (without security impact).
The three weaknesses identified were the following ones:
- The highest ranked weakness allows an attacker to impersonate any victim registered at any IdP in the WAYF ecosystem when authenticating to IdPW. Afterwards, WAYF’s IdP issues a response to the SP containing the victim’s identity. This allows the attacker to impersonate any user at any SP in the WAYF ecosystem. The implementation flaw in WAYF’s IdP was that it accepted a response of an IdP controlled by the attacker even when the authentication flow was initiated with a different organziation’s IdP.
- The first Medium-ranked weakness allows embedding the consent-page and other pages of WAYF’s IdP into an iframe. This can be used by an attacker to trick a victim into unintentionally performing a login flow.
- The second Medium-ranked weakness enables an attacker to use ID tokens or SAML assertions, issued for a particular party but without valid “audience” information, for another party. This can ultimately enable the attacker to take over the victim’s account.
The public penetration test report of WAYF's IdP contains all the detected weaknesses, our recommendations, observed bugs, and further security evaluations we performed during our penetration test.
More Security and Transparency with Open Penetration Tests
We want to thank WAYF—and especially the lead developer Mads Freek Petersen—for the excellent cooperation during the whole penetration test and process of mitigating the weaknesses.
We highlight their commitment to security and transparency proven by developing open-source software and agreeing to publish this penetration test report.
Our Experts Develop the Optimal Solution for You
Single Sign-On – SAML – OpenID Connect
Does your Identity and Access Management (IAM) include multiple IdPs and complex federation scenarios?
Are you wondering how to securely implement and use OpenID Connect, SAML, and OAuth in your federation?
We will be glad to advise you; contact us for a no-obligation initial consultation.
Thus, we are at your side with the following services and solutions:
Don't hesitate and find your way to secure authentication with us. We look forward to supporting you with your projects.
Your Contact for Penetration Tests
Prof. Dr. Marcus Niemietz