...
Here are a few lessons learned from the Office 365 vulnerability.
Tip | ||
---|---|---|
| ||
An email address is not a user identifier. |
The Office 365 incident revolved around the following SAML attribute:
Code Block | ||||
---|---|---|---|---|
| ||||
<saml2:Attribute FriendlyName="IDPEmail"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="IDPEmail">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">ikakavas@mymail.example.com</saml2:AttributeValue>
</saml2:Attribute> |
From a SAML perspective, there are a number of problems with the IDPEmail
attribute shown above but the point that matters most is: The IDPEmail
attribute is not an email address at all.
...
Its value may look like an email address, but in fact, the IDPEmail
attribute corresponds to the User Principal Name (userPrincipalName
or UPN) of the existing account of the user in Azure AD.
That’s an important observation: The IDPEmail
attribute is an identifier, and moreover, it is actually used by the Office 365 application for access control. That leads directly to our next observation.