On February 27, Duo Security reported SAML single sign-on has a vulnerability that could enable attackers to easily take over a victim's account. Vendors impacted by the vulnerability such as Okta, OneLogin, OmniAuth, Clever Inc and the Shibboleth Consortium have been alerted, although it’s difficult to identify and notify all users who could be at risk.
Passport Is Not Impacted
Fortunately, Passport is not impacted by this vulnerability since we don’t rely on the SAML protocol. When we developed Passport, we considered using SAML as part of our solution but did not implement it for a couple of reasons:
- SAML is an older standard that is heavy-weight and often times overkill for most applications.
- SAML 2 was released in 2005 and has not had a significant update since then. At the pace of modern development, that is entering retirement age.
- SAML is XML based and there are several modern alternatives. We developed our solutions based on modern coding strategies.
Instead, we chose to implement OAuth and OpenID Connect, which are modern protocols with wide support, improved security and adoption.
It’s interesting that the recently reported vulnerabilities were not in the SAML protocol itself, but were with several implementations that would allow attackers to tamper with a SAML message in order to authenticate themselves as any user. The vulnerabilities were found in multiple SAML libraries including OneLogin's python-saml and ruby-saml, Clever's saml2-js, OmniAuth-SAML and Shibboleth openSAML C++.
Security Providers May Not Be Aware
The eWeek article states that Duo Security worked with CERT to notify larger vendors that could be at risk and to patch the issues that were discovered, but it also points out that there may be additional risk to smaller organizations who use the impacted libraries and may not have been contacted. While they haven’t seen any exploits in the wild so far, they suggest that organizations check with their SAML service providers immediately to verify that they are not at risk.
SAML Single Sign-on Vulnerability Detail
If you would like specific details on how the vulnerability was discovered and how it works, check out this post from Kelby Ludwig at Duo Labs. It explains how an authenticated user can trick SAML systems into authenticating as a different user without knowledge of their password. And it could be the first usage of the word canononononicalizizization.
Learn More About Passport
Passport is designed to be the most flexible and secure Customer Identity and Access Management solution available on the market. More than a basic login tool, we provide registration, data search, user segmentation and advanced user management across applications. Find out more about Passport and sign up for a free trial today.