9 https://www.identityblog.com/?p=1011
Case in Point: Session Promiscuity
In 2008, Google's implementation of SAML-based Single
Sign-On protocol opened up a hole that allowed malicious service
providers to access Google user accounts
9
. A couple of things to note here:
First, the problem was not with the SAML protocol, it was with Google's
implementation. As the NSA likes to say, "We don't break standards,
we break implementations." No matter what protocol you use, the
standard is only partially relevant; you can build a weak system on a
strong protocol.
