Attack vectors with encrypted SAML assertion response
I'm testing a web application which uses SAML SSO. SAML Response has signature and it is verified correctly if data is tampered. But I noticed that when signature is removed completely authentication to SP succeeds. In general, it's clear what is the issue/vulnerability here but assertion data is encrypted so I'm not able to modify any of the data.
I can for example login with admin level user, store response and let it expire. Then I login with lower level user, stop response and change IssueInstant etc. values to get pass of expiration and copy admin level users encrypted values to response but then I get response that assertion is expired. So it seems that assertion includes own expiration time and that is inside encrypted data.
In above scenario attacker would of course gain access to admin’s old SAML response somehow(access to admin's browser cache or with access to some logs) but that isn’t really relevant.
So question is that can there still be some real attack scenarios without ability to break used encryption of the assertion or does encryption mitigate invalid signature check completely?
