Micro-Id-Gym: Identity Management Workouts with Container-Based Microservices

Mic o-Id-Gym: Iden i y Managemen Wo kou s
wi h Con aine -Based Mic ose ices
And ea Bisegna1, Robe o Ca bone1[0000−0003−2853−4269], I an Ma ini2,
Valen ina Odo izzi2, Giulio Pellizza i2, and Sil io Ranise1[0000−0001−7269−9285]
1Secu i y & T us , FBK, T en o, I aly {a.bisegna,ca bone, anise}@ bk.eu
2Uni e si y o T en o, T en o, I aly
{i an.ma ini, alen ina.odo izzi,giulio.pellizza i}@s uden i.uni n.i
Abs ac . Iden i y Managemen (IdM) solu ions a e inc easingly im-
po an o building us in cu en and u u e digi al ecosys ems. Un-
o una ely, no only hei secu e deploymen bu e en hei usage a e
non- i ial ac i i ies ha equi e a good le el o secu i y awa eness. Fo
his, we in oduce Mic o-Id-Gym, an easy o con igu e aining en i-
onmen in which use s can de elop hands-on expe iences on how IdM
solu ions wo k and be e unde s and he unde lying secu i y issues.
1 In oduc ion
As digi al se ices a e g owing and he In e ne o Things is ge ing la ge ,
indi iduals need o be in con ol o hei digi al iden i ies o manage hei in e -
ac ions wi h inc easingly complex digi al se ices. Failing o design and deploy
usable and secu e solu ions o Iden i y Managemen (IdM) may esul in a lack
o us in digi al ecosys ems wi h nega i e impac in e ms o economy (e.g.,
highe ees on inancial ansac ions) and socie y (e.g., limi a ion o elec onic
heal hca e solu ions). To a oid such nega i e e ec s, i is c ucial o augmen
he unde s anding o he main secu i y p oblems unde lying he mos widely
adop ed IdM solu ions. This is impo an no only o secu i y p ac i ione s bu
i ually anyone dealing wi h online se ices because hey a e likely o use one
o he a ailable in as uc u es p o ided by ei he en e p ises (e.g., Google o
Facebook) o public in as uc u es o digi al iden i ies like he Eu open elec-
onic IDen i ica ion, Au hen ica ion and us Se ices (eIDAS)3o he I alian
Public Sys em o Digi al Iden i y (SPID).4
Un o una ely, inc easing he secu i y awa eness on IdM solu ions is a om
being a i ial ask. This is so because use s ge bogged down in he mi iads
o p ac ical echnical challenges ha hey a e equi ed o ame when ying
o deploy o unde s and IdM solu ions in ealis ic scena ios. To alle ia e hese
p oblems, we p opose an easy o con igu e aining en i onmen , called Mic o-
Id-Gym,5in which use s can de elop hands-on expe iences on how IdM solu ions
3h ps://ec.eu opa.eu/digi al-single-ma ke /en/policies/
us -se ices-and-eiden i ica ion
4h ps://www.agid.go .i /i /pia a o me/spid
5h ps://si es.google.com/ bk.eu/mic o-id-gym
2 Bisegna e al.
wo k and inc ease hei awa eness ela ed o he unde lying secu i y issues. We
discuss in mo e de ails he mo i a ions and design goals o Mic o-Id-Gym in
Sec ion 2 by conside ing one o he mos impo an IdM solu ions, namely Single
Sign-On (SSO). Then, we desc ibe Mic o-Id-Gym and a ypical use expe ience
in Sec ion 3. We conclude and o e iew u u e wo k in Sec ion 4.
2 A Mo i a ing Use Case Scena io
To illus a e which a e he p oblems ela ed o unde s anding complex IdM so-
lu ions, we conside he SAML 2.0 Web B owse SSO P o ile [6] (abb e ia ed
wi h SAML SSO in he ollowing), ha is one o he mos widely adop ed au-
hen ica ion p o ocols. CIdP SP
S1. GET URI
A1. HTTP302 IdP?SAMLReques =Au hReq(ID,SP)&RelayS a e=URI
A2. GET IdP?SAMLReques =Au hReq(ID,SP)&RelayS a e=URI
IdP builds an au hen ica ion asse ion
AA = Au hAsse (ID,C,IdP,SP)
A3. HTTP200 Fo m(. . .)
A4. POST SP,Response(ID,SP,IdP,{AA}K−1
IdP ),RelayS a e(URI)
S2. HTTP200 Resou ce(URI)
Fig. 1. The SAML SSO p o ocol [2].
Figu e 1 shows a Mes-
sage Sequence Cha (MSC)
o he main s eps o he
SAML SSO p o ocol in
which h ee en i ies a e in-
ol ed: a clien (C), an iden-
i y p o ide (IdP) and a
se ice p o ide (SP). The
goal o C ( ypically a web
b owse wi h which a use
in e ac s) is o ge access o
a se ice o a esou ce p o ided by SP. IdP au hen ica es C and issues co e-
sponding au hen ica ion asse ions ha a e us ed by SP ( he us ela ionship
is depic ed wi h a handshake in he igu e). SP uses he asse ions gene a ed by
IdP o decide on C’s en i lemen o he eques ed se ice o esou ce. A b ie de-
sc ip ion o he p o ocol is as ollows. C asks SP o p o ide he esou ce loca ed
a URI (s ep S1). SP hen sends o C an HTTP edi ec esponse (s a us code
302) o IdP, con aining an au hen ica ion eques Au hReq(ID,SP), whe e ID
is a (pseudo-) andomly gene a ed s ing uniquely iden i ying he eques (s eps
A1 and A2). A equen implemen a ion choice is o use he RelayS a e ield o
ca y he o iginal URI ha C has eques ed (see [6]). Then IdP challenges C o
p o ide alid c eden ials (do ed double a ows in he igu e): his is no speci-
ied in he s anda d o he SAML SSO so o accommoda e any au hen ica ion
p ocess o e ed by IdP. I he au hen ica ion succeeds, IdP builds an au hen ica-
ion asse ion as he uple AA = Au hAsse (ID, C, IdP, SP) and embeds i in
a esponse message Resp = Response(ID, SP, IdP, {AA}K−1
IdP ) whe e {AA}K−1
IdP
is he asse ion signed wi h IdP’s p i a e key ( he key icon in he igu e). IdP
hen places Resp and he alue o RelayS a e ecei ed om SP in o an HTML
o m and sends he esul back o C in an HTTP esponse (s ep A3) oge he
wi h some sc ip ha au oma ically pos s he o m o SP (s ep A4). Finally,
he SP sends o C an accep ed HTTP esponse (s a us code 200) con aining he
eques ed esou ce (s ep S2).
Mic o-Id-Gym 3
The desc ip ion o he SAML SSO p o ocol abs ac s away se e al de ails
ha a e c ucial o secu i y; we highligh some o he mos impo an in he
ollowing. The us ela ionship be ween SP and IdP (handshake icon) mus be
es ablished be o e unning he p o ocol by dis ibu ing app op ia e me a-da a
be ween he wo en i ies. The h ee en i ies shall exchange messages by using
he T anspo Laye Secu i y (TLS) p o ocol o con iden iali y and in eg i y.
Fo his, bo h IdP and SP mus ha e alid X.509 ce i ica es. Use s need o
egis e a he IdP o ecei e c eden ials. Besides hese aspec s, addi ional de ails
play an impo an ole in he secu i y o SAML SSO deploymen s including he
con igu a ions o auxilia y modules (e.g., omi ing checks on mac o expansion by
XML pa se s used o SAML asse ions may lead o Denial o Se ice a acks [5])
and he o ma o messages (e.g., o ge ing a ield in a message may lead o man-
in- he-middle a acks [1]).
The secu e deploymen o SAML SSO is a complex and e o p one ac i i y
ha equi es a high le el o awa eness in se e al and he e ogeneous aspec s. I
is hus no su p ising ha a acks ha e been disco e ed o e he yea s (e.g.,
[3]). Fo ins ance, i he in eg i y o he RelayS a e ield (c . s eps A1, A2, and
A4 in Figu e 1) is no adequa ely p o ec ed, i may allow hacke s o moun
injec ion a acks o SPs (we discuss his below). No ice ha he SAML App o ed
E a a [7] emphasizes he impo ance o he sani iza ion o he RelayS a e.
3 Mic o-Id-Gym
The main idea unde lying Mic o-Id-Gym is h ee- old. Fi s , i s a chi ec u e uses
con aine -based mic ose ices and exploi s he possibili y o se -up a local ne -
wo k among hem. So, each en i y pa icipa ing in an IdM solu ion (e.g., IdP
and SP o he SAML SSO discussed in Sec ion 2) is encapsula ed in a mic o-
se ice ha may in e ac wi h he o he s h ough s anda d ne wo k p imi i es
(e.g., HTTP eques s and edi ec ions). Addi ionally, con aine s—in ou case
hose o e ed by Docke 6—p o ide o high lexibili y in e ms o con igu a ion
and allow o managing he a ious echnical aspec s ha a e needed o deploy
IdM solu ions and ep oduce ealis ic scena ios. Second, s a e-o - he-a pene-
a ion es ing ools, such as Bu p7and OWASP ZAP, 8can be used o moni o
he exchange o messages among he mic ose ices in he local ne wo k so ha
use s can unde s and when and which messages a e exchanged among he a i-
ous en i ies. This allows use s o a be e unde s anding o how IdM p o ocols
wo k. To ease his phase, he pene a ion es ing ool communica es wi h an
applica ion ha anima es a MSC o he p o ocol unde conside a ion (e.g., he
one depic ed in Figu e 1). We hope ha he in eg a ion o s anda d pene a ion
es ing ools in Mic o-Id-Gym would make hei usage mo e wide-sp ead and
ul ima ely con ibu e o inc ease he unde s anding o secu i y p oblems o web
applica ions. The hi d idea unde lying Mic o-Id-Gym is o p o ide an a ailable
6h ps://www.docke .com
7h ps://po swigge .ne
8h ps://www.zap oxy.o g
4 Bisegna e al.
se o p e-con igu ed deploymen s ha allow e en use s wi h a limi ed secu i y
backg ound o ge an hands-on expe ience o IdM solu ions wi hou ge ing los
in low le el de ails and (hope ully) inc ease hei unde s anding.
Mic o-Id-Gym s uc u es he use expe ience in ou phases. Fi s , se -up con-
sis s o desc ibing (selec ed pa s o ) he con igu a ions o he en i ies playing a
ole in he IdM solu ion and hei ela ionships. Second, ou ine amoun s o a-
milia izing use s wi h he in ended beha io o he IdM solu ion while assuming
ha he e a e no malicious en i ies. Thi d, de ia ion illus a es one o se e al
ways in which he in ended beha io o he IdM solu ion can be abused by
a acke s in p esence o (exploi able) ulne abili ies. Fou h, mi iga ion builds
on he desc ip ion o he ulne abili ies iden i ied in he p e ious s ep o p o-
pose possible mi iga ions o make hei exploi a ion mo e di icul . Fo he sake
o conc e eness, we illus a e below hese s eps on he SAML SSO scena io o
Sec ion 2.
3.1 An o e iew o he use expe ience wi h Mic o-Id-Gym
We elabo a e on he injec ion a ack o he SAML SSO p o ocol ha exploi s
he lack o in eg i y checks on he RelayS a e ield in oduced in Sec ion 2.
Se -up. The ins uc o guides he use o load he a ailable scena io allowing o
he exploi a ion o he RelayS a e ulne abili y. This allows o he deploymen
o an IdP (e.g., Shibbole h9) and an SP (e.g., an SP based on Ja a), he as-
signmen o X.509 ce i ica es o TLS connec ions, he es ablishmen o a us
ela ionship be ween hem ( ede a ion), he o ma ion o a i ual ne wo k by
using Docke compose ool,10 and he c ea ion o an OpenLDAP module o han-
dling use c eden ials. The ins uc o shows whe e con igu a ion iles a e s o ed,
discusses selec ed pa s o hem; o ins ance, he/she poin s ou s ha no sani i-
za ion is pe o med on he RelayS a e ield by he IdP. Finally, he/she illus a es
he me ada a exchanged o he ede a ion o IdP and SP.
Rou ine. The ins uc o explains how o pe o m he s ep-by-s ep execu ion o
he SAML SSO p o ocol. Use s a e p esen ed wi h he si ua ion depic ed in
Figu e 2 whe e hey can see he MSC o he p o ocol ( op le co ne ), he Bu p
ool ( igh hal ), and he b owse o he use (bo om le co ne ). The SAML
SSO p o ocol is s a ed by he use by in e ac ing wi h he b owse ; Bu p is
con igu ed o in e cep ele an messages and o in e ac wi h he applica ion
anima ing he MSC. The goal o his s ep is o make s uden s amilia wi h he
p o ocol and b idge he gap be ween he high-le el iew speci ied in he MSC
and he ac ual implemen a ion.
9h ps://www.shibbole h.ne
10 h ps://docs.docke .com/compose
Mic o-Id-Gym 5
Fig. 2. Mic o-Id-Gym: unning he SAML SSO p o ocol.
De ia ion. Once use s
a e amilia wi h he
p o ocol, he ins uc-
o discusses he pos-
sibili y o use Bu p
no only o in e cep
messages bu also o
modi y hem and moun
an a ack by exploi -
ing one o mo e ul-
ne abili ies. As dis-
cussed in Sec ion 2,
he IdP in his scena io does no sani ize he RelayS a e ield and his lack
may be used as a ec o o an injec ion a ack. The ins uc o sugges s o inse
malicious code o be execu ed on he SP in o he RelayS a e ield o message
A2— esul ing om a edi ec ion om he SP o IdP ia he b owse elay, ecall
Figu e 1. An example o malicious code is a que y ex il a ing sensi i e in o ma-
ion om he da abase handled by he SP whose esul s ha can be e u ned
as he esou ce in s ep S2. Once use s ha e unde s ood how he a ack wo ks,
he ins uc o obse es ha , on he one hand, all SPs ede a ed wi h he IdP
a e po en ial ic ims o he a ack; bu , on he o he , o he a ack o be suc-
cess ul he SP shall be ulne able o he injec ion a ack made possible by he
modi ica ion o he RelayS a e.
Mi iga ion. Based on he ana omy o he a ack and ulne abili y pe o med
in he p e ious s ep, he ins uc o explains ha he bes secu i y p ac ice o
mi iga e he a ack is o upda e he con igu a ion o he IdP o enable he
sani iza ion o he RelayS a e ield. A e discussing whe e and how o modi y
he con igu a ion ile and o es a he IdP, he ins uc o asks use s o a emp
o moun he same injec ion a ack and e i y ha i is no possible anymo e.
4 Conclusions and Fu u e Wo k
We ha e desc ibed Mic o-Id-Gym, an easy o con igu e aining en i onmen in
which use s can de elop hands-on expe iences on how SAML SSO solu ions wo k
and be e unde s and he unde lying secu i y issues. Fo ease o con igu a ion
and deploymen , Mic o-Id-Gym uses con aine -based mic ose ices and s a e-
o - he-a pene a ion es ing ools. This allows one o c ea e a ca alogue o
ealis ic scena ios in which di e en ulne abili ies and a acks can be e-c ea ed,
analyzed, and mi iga ed wi hou ge ing bogged down in he ple ho a o p ac ical
echnical challenges ha one is aced o ame when deploying complex SAML
SSO solu ions (especially in case o use s wi h limi ed secu i y skills).
The e a e wo main lines o u u e de elopmen s in Mic o-Id-Gym: (i) expand
he ca alogue o scena ios demons a ing ulne abili ies, a acks, and mi iga-
ions o SAML SSO, and (ii) p o ide suppo o o he IdM solu ions, including
OAu h 2.0 [4] and OpenID Connec [8].

6 Bisegna e al.
Re e ences
1. A mando, A., Ca bone, R., Compagna, L., Cuella , J., Toba a, L.: Fo mal Analysis
o SAML 2.0 Web B owse Single Sign-on: B eaking he SAML-based Single Sign-on
o Google Apps. In: FMSE ’08. ACM, New Yo k, NY, USA (2008)
2. A mando, A., Ca bone, R., Compagna, L., Cu´ella , J., Pelleg ino, G., So nio i, A.:
An Au hen ica ion Flaw in B owse -based Single Sign-On P o ocols: Impac and
Remedia ions. Compu e s & Secu i y 33, 41 – 58 (2013)
3. Engelbe z, N., E inola, N., He ing, D., Somo o sky, J., Mladeno , V., Schwenk, J.:
Secu i y Analysis o eIDAS–The C oss-Coun y Au hen ica ion Scheme in Eu ope.
In: 12 h USENIX Wo kshop on O ensi e Technologies (WOOT 18) (2018)
4. Ha d , D.: The OAu h 2.0 Au ho iza ion F amewo k (2012), IETF
5. Mladeno , V.: On he Secu i y o Single Sign-On. Ph.D. hesis, Ruh -Uni e si ¨a
Bochum (2017)
6. OASIS: SAML V2.0 Tech. O e iew. h p://www.oasis-open.o g/commi ees/
download.php/27819/ss c-saml- ech-o e iew-2.0-cd-02.pd (Ma ch 2008)
7. OASIS: SAML V2.0 App o ed E a a. h p://docs.oasis-open.o g/secu i y/
saml/ 2.0/ss c-saml-app o ed-e a a-2.0.pd (May 2012)
8. Sakimu a, N., B adley, J., Jones, M., de Medei os, B., Mo imo e, C.: OpenID Con-
nec Co e 1.0 inco po a ing e a a se 1 (2014), OIDF