A vulnerability in some implementations of the SAML federation standard was recently publicly disclosed affecting multiple vendors (https://www.kb.cert.org/vuls/id/475445). Incorrect handling of XML canonicalization during verification of digital signatures on SAML assertions could potentially be used by an attacker to bypass authentication controls. This issue has been assigned multiple CVEs for different vendors:
- CVE-2017-11427 - OneLogin’s "python-saml"
- CVE-2017-11428 - OneLogin’s "ruby-saml"
- CVE-2017-11429 - Clever’s "saml2-js"
- CVE-2017-11430 - "OmniAuth-SAML"
- CVE-2018-0489 - Shibboleth openSAML C++
ForgeRock has carefully assessed our implementations of SAML 1.x, SAML2, OAuth2 SAML2 Grant, WS-Federation and the Java Fedlet, and determined that we are not affected by this vulnerability.
More information about the vulnerability can be found on the security researchers' blog post: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations