Vulnerability Discussion

An API may be required to generate assertions when it plays a role in authentication, authorization, or secure data exchange. In protocols like SAML or OpenID Connect, assertions are essential because they serve as trusted claims about a user's identity, permissions, or session status. These assertions, often in the form of tokens like SAML assertions or JWTs, allow different systems to communicate securely and trust the integrity of the transmitted information. By generating assertions, an API ensures that only authenticated users can access protected resources, and that the data exchanged is verifiable and tamper-proof.

Check

Review the API's authentication and authorization mechanisms. Ensure that the assertions are generated using the correct identity source's identity provider (IdP).

Verify the API adheres to the defined authentication standards to ensure only authenticated and authorized entities can generate assertions.

Check the assertions include necessary identity information (e.g., user ID, roles, and claims) and are signed or encrypted.

Verify the generation process is compliant with any guidelines regarding assertion lifetime, scope, and audience.

Review system logs to confirm the API is correctly implementing the authentication policies and generating assertions only after successful identity verification.

Consult the organization's identity management documentation and compare it to the API's implementation to ensure full alignment with the defined policies.

If the API is not generating assertions in accordance with organization-defined identification and authentication policy, this is a finding.

Fix

Build or configure the API to generate assertions in accordance with organization-defined identification and authentication policy.