My web application is allowing SSO via SAML authentication and I am doing the development now. The idea is that this by-passes my application's local authentication and the user is automatically authenticated once they authenticate with the SAML IDP. We will have the X502 cert from the provider so they are trusted to an extent.
In my application on return from SAML auth I take an email as identifier from the IDP and use that to load the user's session. But this is clearly dangerous as the IDP could spoof the email, from another company even. What can I do to secure this?
In my application on return from SAML auth I take an email as identifier from the IDP and use that to load the user's session. But this is clearly dangerous as the IDP could spoof the email, from another company even.
No. It's not, unless you're taking on an insecure integration approach.
The SAML2 IDP and your SP establish mutual trust by sharing SAML2 metadata, whether as physical files, payloads over URLs, etc. Your SP will only talk to the IDPs it trusts by means of metadata, and validity of metadata can also be verified using appropriate keys. Furthermore, responses that are issued by the IDP can be signed and encrypted, and in theory only the SP for whom a response is issued can verify the integrity and authenticity of the response and optionally decrypt it to get to the appropriate data. If your SP is blindly trusting data that comes from any SAML2 IDP, then yes this is dangerous, but this an issue with your setup and not "the IDP spoofing" the email address.
What can I do to secure this?
Make sure the IDP is signing appropriate responses/assertions for you, and that your SP is properly validating the response, including its signature. If you're concerned about data visibility, you can ask the IDP to encrypt that response/attributes/nameIDs for you. At the end of the day, if and when all this passes, you are to trust the IDP with the data you correctly and trustfully receive back. If the IDP sends you an "invalid" email address, even after having validated everything, that's something to take up with the IDP, and not an "insecurity".