You'll want this when you're poking at enterprise SSO flows and need to think through SAML trust assumptions systematically. It walks you through signature wrapping, audience restriction bypasses, assertion replay, and the kinds of XML parsing quirks that let you impersonate users across identity provider boundaries. The triage checklist is solid: capture the full round trip, check which nodes are actually signed, test both SP-initiated and IdP-initiated flows, then start swapping attributes and issuers. It's focused on the trust confusion and binding logic that breaks most often in real deployments, not just textbook vulnerabilities.
npx skills add https://github.com/yaklang/hack-skills --skill saml-sso-assertion-attacks