The attackers then insert a second, faux assertion–claiming to be an admin–into the already obtained, signed XML snippet. Owing to lax parsing guidelines in samlify variations previous to 2.10.0, the service supplier finally ends up processing the attacker’s faux, unsigned identification together with the unique signature.
Endor Labs researchers warned that this flaw opens the door to SAML SSO bypass and is straightforward to take advantage of because the “assault complexity is low”, “no privileges are required”, and “no consumer interplay is required”. Moreover, the requirement for acquiring a signed XML was famous as “reasonable”.
SAML authenticators ought to replace to patched variations
The flaw has been addressed by way of patches in samlify variations 2.10.0 and later.
