SAML XML Canonicalization vulnerability and ForgeRock products

Last updated Feb 2, 2022

The purpose of this article is to provide information on whether ForgeRock products (AM/OpenAM, DS/OpenDJ, IDM/OpenIDM and IG/OpenIG) are vulnerable to the SAML XML Canonicalization issue.

8 readers recommend this article

This article has been archived and is no longer maintained by ForgeRock.

ForgeRock products

A vulnerability in some implementations of the SAML federation standard was recently publicly disclosed affecting multiple vendors ( Incorrect handling of XML canonicalization during verification of digital signatures on SAML assertions could potentially be used by an attacker to bypass authentication controls. This issue has been assigned multiple CVEs for different vendors:

  • CVE-2017-11427 - OneLogin’s "python-saml"
  • CVE-2017-11428 - OneLogin’s "ruby-saml"
  • CVE-2017-11429 - Clever’s "saml2-js"
  • CVE-2017-11430 - "OmniAuth-SAML"
  • CVE-2018-0489 - Shibboleth openSAML C++

ForgeRock has carefully assessed our implementations of SAML 1.x, SAML2, OAuth2 SAML2 Grant, WS-Federation and the Java Fedlet, and determined that we are not affected by this vulnerability.

More information about the vulnerability can be found on the security researchers' blog post:

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.