I became a maintainer of a popular #SAML library for Node.js, "node-saml", which in turn uses "xml-crypto", which in turn is based on XML signatures.
If you are still using SAML for #SSO, be aware there has been string of SAML vulnerabilities related to the fundamentals of how it works and there are likely to be more. You are advised to OIDC instead.
In this thread, I'll discuss some of weaknesses in SAML that have come up repeatedly. 
Long shot, but: As my project for #eh22 I was thinking about extending our #Keycloak configuration auditor with some checks for #SAML-based authentication. However, I know next to nothing about SAML and am a bit lost, to be honest. If anyone is at #eh22 who has some knowledge about SAML security and common misconfigurations (on the server or client side), and wants to collaborate to create some checks for #kcwarden (https://github.com/iteratec/kcwarden), hit me up.
LemonLDAP::NG 2.21 is out!
This new release includes improvements on OpenID Connect and CAS protocols, Loki logger, public notifications and much more.
Read our release notes: https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-21-0-is-out/
Learnings am Wegesrand: Für die Signierung und Verschlüsselung von #SAML-Metadaten nutzt man wegen der häufigen Rotationen und fehlender Automatisierungsmöglichkeit bei Kommunikationspartnern ja meist keine Letsencrypt-Zertifikate. Gestern dachte ich, ach für diesen kurzen Test geht’s mal. Und dann habe ich lange nach dem Fehler gesucht und gemerkt, dass Letsencrypt inzwischen EC-Schlüssel statt RSA generiert,mit denen der #Shibboleth SP nicht signieren kann. #til #sso #singlesignon
Du verwendest #SAML #Authentifizierung?
Die letzten #Mastodon #Releases enthalten wichtige Sicherheitsupdates.
https://github.com/mastodon/mastodon/releases
Hivemind:
Roll your own SAML (like, no IdP)?
GitHub uncovers new Ruby-SAML Vulnerabilities allowing Account Takeover Attacks.
Two high-severity security flaws have been disclosed in the open-source ruby-saml library that could allow malicious actors to bypass Security Assertion Markup Language (SAML) authentication protections.
![[ImageSource: GitHub]
"Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user," GitHub Security Lab researcher Peter Stöckli said in a post.
The Microsoft-owned subsidiary also noted that the issue boils down to a "disconnect" between verification of the hash and verification of the signature, opening the door to exploitation via a parser differential.
Versions 1.12.4 and 1.18.0 also plug a remote denial-of-service (DoS) flaw when handling compressed SAML responses (CVE-2025-25293, CVSS score: 7.7).
⚠️Users are recommended to update to the latest version to safeguard against potential threats.⚠️
The findings come nearly six months after GitLab and ruby-saml moved to address another critical vulnerability (CVE-2024-45409, CVSS score: 10.0) that could also result in an authentication bypass.](https://nerdculture.de/system/media_attachments/files/114/177/947/075/555/612/original/721ecee68734690f.jpeg "[ImageSource: GitHub]
\"Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user,\" GitHub Security Lab researcher Peter Stöckli said in a post.
The Microsoft-owned subsidiary also noted that the issue boils down to a \"disconnect\" between verification of the hash and verification of the signature, opening the door to exploitation via a parser differential.
Versions 1.12.4 and 1.18.0 also plug a remote denial-of-service (DoS) flaw when handling compressed SAML responses (CVE-2025-25293, CVSS score: 7.7).
⚠️Users are recommended to update to the latest version to safeguard against potential threats.⚠️
The findings come nearly six months after GitLab and ruby-saml moved to address another critical vulnerability (CVE-2024-45409, CVSS score: 10.0) that could also result in an authentication bypass.")
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
GitLab naprawia podatności związane z biblioteką ruby-saml
GitLab ogłosił wydanie nowych wersji oprogramowania. Aktualizacja dotyczy zarówno Community Edition, jak i Enterprise Edition. Poprawione wersje to 17.9.2, 17.8.5 oraz 17.7.7. Najważniejsza poprawka dotyczy dwóch podatności (CVE-2025-25291, CVE-2025-25292), zgłoszonych w bibliotece ruby-saml, która jest wykorzystywana przez GitLab do SAML SSO (security assertion markup language; single sign-on). W pewnych okolicznościach...
#WBiegu #Cve #Gitlab #Graphql #Podatności #Rce #Ruby #Saml
https://sekurak.pl/gitlab-naprawia-podatnosci-zwiazane-z-biblioteka-ruby-saml/
Wir haben auf die Mastodon Version 4.3.6 upgedated. Dies beinhaltet wichtige Sicherheitskorrekturen für alle, die SAML Single-Sign-On verwenden.
Bitte weiter tooten 
GitLab Addresses Critical Security Flaws: A Deep Dive into Recent Vulnerabilities
GitLab has released crucial updates to patch nine vulnerabilities, including two critical authentication bypass issues in the ruby-saml library. This article explores the implications of these vulnera...
Deux vulnérabilités (CVE-2025-25291, CVE-2025-25292) permettent de contourner l’authentification SAML (SSO) sur GitHub et GitLab via une attaque par « signature wrapping ».
Un attaquant disposant d'une signature valide pourrait ainsi se connecter sous l’identité d’un autre utilisateur. La prudence est de mise, surtout qu’un gang spécialisé dans les ransomwares a récemment ciblé ces plateformes. L’exploitation active est à ce jour inconnue.
GitLab recommande fortement la mise à jour vers 17.9.2 :
https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/
GitHub – Sign in as anyone (détails techniques) :
https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/
#Cyberveille
#vulnerabilite
#GitHub
#GitLab
#SAML
#CVE_2025_25291
#CVE_2025_25292
If you run #gitlab with #SAML authentication, you better upgrade as soon as possible
https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/
Nous avons eu le plaisir de participer aujourd'hui à l'enregistrement d'un épisode du Podcast "Tout est sous CTRL" produit par nos amis de Centreon.
Interviewé par Vincent Untz , @clementoudot est venu parler de gestion des identités et des accès (IAM), d'authentification mutli-facteurs (2FA/MFA) et de PasswordLess, mais surtout d'Open Source !
Could we please, please, PLEASE agree on /.well-known/saml/metadata.xml ? Yes?
In Eurem UCS läuft nach der Keycloak-Anbindung die Portal-Session ständig ab? Jeder Client kann in Keycloak eine eigene Session Lifetime haben, unabhängig von den globalen Token Lifetime im Realm.
So stellt Ihr 10 Stunden ein:
univention-keycloak saml/sp update https://portal.example.org/univention/saml/metadata '{"attributes": {"saml.assertion.lifespan": "36000"}}'
In der Oberfläche: Clients -> Portal -> Reiter "Erweitert" -> Runterscrollen -> "Assertion Lifespan".
At the last @univention summit I gave an introduction to the Keycloak app in Nubus. You missed it? There is a blog post now:
Navigating the Keycloak Admin Console with Nubus: A Step-by-Step Introduction
https://www.univention.com/blog-en/2024/10/navigating-the-keycloak-admin-console/
Auf dem @univention Summit hatte ich eine Einführung in die Bedienung der Keycloak-App auf Nubus gegeben. Das habe ich nun nochmal verbloggt, für alle, die es gerne nachlesen möchten:
Keycloak Admin Console mit Nubus: Der Einstieg leichtgemacht
https://www.univention.de/blog-de/2024/10/keycloak-admin-console/
#keycloak #nubus #univention @univention #singlesignon #oidc #saml
decio 
