Dear XXX,
I extend an invitation on behalf of the GÉANT Trust and Identity Incubator for your participation in a workshop on the most valuable scenarios for validating signatures and related security aspects of SAML content produced by Service Providers within federations.
Our objective is to develop a scalable software or service solution that would assist federation operators in testing the security aspects of Service Providers' SAML deployments, with a specific emphasis on signature validation. This solution aims to automate and streamline testing scenarios, including the checking of signature validity, identifying vulnerabilities to signature wrapping attacks, and addressing real-life failures observed in SP deployments. The validation scenarios encompass self-testing by SPs for production readiness, onboarding testing by FedOps, periodic reviews of SPs by FedOps, and testing initiated by client institutions during compliance reviews.
Besides discussing the technical implementation with you, we seek to collaboratively explore technical, operational and legal requirements and risks, taking into consideration real-world arrangements, attitudes and other concerns. Furthermore, we are open to discussing the potential extension of these tests to OIDC RPs.
For more details, please refer to the provided link: https://wiki.geant.org/display/GWP5/Scalable+testing+for+insecure+SAML+signature+validation
We propose the week of January 22 for this meeting but welcome your suggestions for alternative dates and times.
We hope you find this topic intriguing and that you are interested in participating in the proposed workshop.
Sincerely,
YYY