AttributeStatements, and a published WS-Federation metadata document (documented — README). It has two deployable halves: an Identity Provider (IdP) that authenticates users and issues tokens (STS-backed), and Relying-Party (RP) plugins embedded in a protected web app that redirect unauthenticated users to the IdP and validate the returned token (documented — services/, plugins/).apache/cxf-fediz main/HEAD (2026-05-31).apache/cxf umbrella model; Fediz's SSO trust surface is distinct and modelled here. Produced via the threat-model-producer rubric (https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573).In SSO the security pivot is token validation at the RP and token issuance at the IdP, both around a token that travels through the untrusted browser. Most of this model lives in §8/§9 around those two points.
Intended use (documented): protect web applications by delegating authentication to a Fediz IdP via WS-Federation/SAML-SSO; the RP plugin enforces “authenticated + has claims” before the app runs.
Caller roles:
wtrealm/audience, allowed reply URLs, TLS, and the user/credential store. Trusted; out of model as adversary (§3).Component-family table:
| Family | Entry point | Touches outside process | In model? |
|---|---|---|---|
| RP plugin — token processing | plugins/core (saml, samlsso, processor, handler) | browser-delivered token; IdP cert | Yes |
| RP plugin — container integration | tomcat/jetty/spring/websphere plugins | servlet request/session | Yes |
| IdP service — auth + token issuance | services/ (IdP), login | network; user store; STS | Yes |
| STS / WS-Trust | STS service | crypto; user store | Yes |
| WS-Fed metadata publish | metadata endpoint | network | Yes |
| Examples / systests / packaging | examples/, systests/, apache-fediz, etc/ | — | No → §3 |
examples/, systests/, packaging, and etc/ sample configs (inferred).Two boundaries dominate:
wresult/SAMLResponse to the RP. These bytes are fully attacker-influenceable (the user controls their browser); the RP must treat the token as untrusted until it has verified: the XML signature against the configured IdP signing certificate; the issuer; the audience/wtrealm equals this RP; the conditions/timestamps (NotBefore/NotOnOrAfter, clock skew); one-time use / replay; and that the signature covers the asserted content (anti-XSW) (inferred — samlsso/processor; specifics §14).wtrealm) with a reply address (wreply); it must validate the RP/realm and the reply URL (open-redirect / token-forwarding surface) and protect the login from CSRF/brute-force (inferred).WS-Fed flow parameters (wa, wresult, wctx, wtrealm, wreply, wfresh, wreq) are all attacker-tamperable in the browser and must be validated, not trusted (inferred).
Reachability preconditions: an RP-side finding is in-model if reachable from a crafted/replayed token or flow parameter before the plugin establishes the security context; an IdP-side finding is in-model if reachable from an unauthenticated request to login/metadata/token endpoints; misconfiguration-only outcomes are OUT-OF-MODEL (§3/§5a).
Conditions validation (a skew window applies) (inferred).| Knob (names (inferred)) | Effect | Default ruling needed |
|---|---|---|
| RP signature requirement / trusted IdP certs | Whether unsigned/untrusted tokens are rejected | Open (wave-1): signature + trust mandatory by default? |
Audience (wtrealm) restriction enforcement | Prevents token replay to a different RP | Open (wave-1) |
| Token replay cache (one-time-use) | Replay protection of consumed tokens | Open (wave-1) |
Clock-skew window for Conditions | Forgiveness of timestamp validation | Confirm default |
wreply/reply-URL validation at the IdP | Open redirect / token forwarding | Open (wave-1) |
| SAML XML secure-processing (DTD/entity off) | XXE/XML-DoS on token parse | Confirm inherited CXF defaults |
| TLS enforcement on the flow | Token confidentiality/integrity in transit | Deployer (§10) |
| Entry point | Parameter | Attacker-controllable? | Caller/deployer must enforce |
|---|---|---|---|
| RP plugin | wresult / SAMLResponse (the token) | yes (browser-delivered) | full signature + issuer + audience + conditions + replay + anti-XSW |
| RP/IdP | wctx, wtrealm, wreply, wfresh, wreq, RelayState | yes | validate realm; allow-list reply URLs; treat context as opaque |
| IdP login | username/password / external auth | yes | credential verification; CSRF; throttling |
| IdP metadata endpoint | request | yes | safe publication; no SSRF via metadata refs |
| RP/IdP config (truststore, realm, certs) | all keys | no — deployer-trusted | never sourced from a request |
wresult/parameters, replay a previously valid token, attempt signature-wrapping, forge an assertion, redirect via a manipulated wreply.AttributeStatement claims; open-redirect a user.(All (inferred) pending §14; symptom + severity per the rubric.)
wtrealm matches this RP and its Conditions (NotBefore/NotOnOrAfter, within skew) hold; consumed tokens are replay-protected (inferred). Symptom: cross-RP replay or replay of an expired/old token. Severity: critical.AttributeStatement. Severity: critical.False friends:
wctx/RelayState look like trusted state but are attacker-controlled — treat as opaque, validate on return.Well-known attack classes to keep in view: XML signature wrapping (XSW); unsigned-assertion / signature -stripping acceptance; assertion replay and cross-audience replay; Conditions/clock-skew abuse; open redirect via wreply; XXE/XML-DoS on token parse; CSRF on IdP login; recipient/audience confusion.
wtrealm so tokens for other RPs are rejected.wreply) to prevent open redirect / token forwarding.wreply reply URLs unrestricted at the IdP (open redirect / token forwarding).wctx/RelayState as trusted server state.(v0 seed — the PMC will have the authoritative list — §14.)
KNOWN-NON-FINDING / misconfig unless a default check is missing (then VALID).examples/ / systests/ / sample configs — out of scope (§3).wreply reply-URL validation or IdP login defaults.| Disposition | Meaning | Licensed by |
|---|---|---|
VALID | Violates a claimed property via an in-scope adversary/input in a default/secure configuration. | §8, §6, §7 |
VALID-HARDENING | No §8 property broken, but a §11 misuse is easy enough to warrant a safer default/guard. | §11 |
OUT-OF-MODEL: trusted-input | Requires control of deployer config / signing keys / truststore. | §6 |
OUT-OF-MODEL: adversary-not-in-scope | Requires deployer / IdP-key / credential-store capability. | §7, §3 |
OUT-OF-MODEL: unsupported-component | Lands in examples, systests, packaging, samples. | §3 |
OUT-OF-MODEL: non-default-build | Only when the deployer disabled a validation control. | §5a |
BY-DESIGN: property-disclaimed | Concerns a §9-disclaimed property (no security without trust config; identity ≠ app authorization). | §9 |
KNOWN-NON-FINDING | Matches a §11a entry. | §11a |
MODEL-GAP | Routes to none of the above → revise the model. | §12 |
Wave 1 — RP validation defaults (the SSO crux; §5a/§8):
wtrealm and Conditions (NotBefore/NotOnOrAfter + skew) enforced by default, and is a replay cache on by default? Proposed: all on by default.Wave 2 — IdP & redirect surface (§4/§8/§9): 4. Does the IdP validate wreply reply URLs (allow-list) to prevent open redirect / token forwarding, and is its login CSRF-protected and throttled? Proposed: reply-URL allow-list configured per realm; login CSRF-protected. 5. How is the underlying XML/SAML parsing hardened against XXE/DoS — inherited from CXF/WSS4J secure defaults? Proposed: yes, inherited.
Wave 3 — boundaries & §11a (§3/§9/§11a): 6. Confirm the deployer-misconfiguration boundary (which “insecure” outcomes are OUT-OF-MODEL). Proposed: per §3/§11. 7. From the advisory history, what do scanners most often (re)report that the PMC considers a non-finding? (Seeds §11a.)
Meta: 8. Confirm this model lives in apache/cxf-fediz (linked from its SECURITY.md), separate from the apache/cxf umbrella. Proposed: yes.
Deferred for v0; a threat-model.yaml can later encode the §6 trust table, §2/§3 scoping, §8 rows, §9 false friends, §11a non-findings, and §13 dispositions.