SimpleSAML.php Remediation

by BeyondID



A security vulnerability has been identified in some versions of the Open Source SimpleSAMLphp package. BeyondID partner Okta has recognized that this may affect one or more of the custom applications within some of its customers’ Okta environments if they are using an outdated version of SimpleSAMLphp to provide SAML.


This vulnerability does not affect Okta and requires no admin actions for your tenant. However, it does mean that any custom applications that use outdated versions of SimpleSAML.php will be vulnerable to authentication bypass.


Technical Details

  • Using an outdated version of SimpleSAMLphp in a custom application means an attacker may be able to spoof the SAML assertion and log in as one of your users.

  • Attackers can bypass the integrity and authenticity protection of an application’s SAML assertion and arbitrarily change its contents by using a variant of an XML Signature Wrapping (XSW) attack in SimpleSAMLphp.

  • The vulnerability affects SimpleSAMLphp which typically uses a Single Sign On (SSO) URL that contains ‘/saml2-acs.php/’. Using this detail, Okta was able to identify one or more applications configured within your Okta tenant that likely are using the Open Source SimpleSAMLphp package. Any applications matching this description should be reviewed to ensure that the latest library version is in use. The SSO URL of an application can be seen in Okta under General->SAML Settings.


Resolution

This issue can be fixed by upgrading to version 1.17.7 or later, which can be found here. The owner of the source code for the application will need to conduct necessary actions to upgrade the SimpleSAMLphp package.


If you don’t own the application that needs to be upgraded, reach out to your vendor or a partner who can help.


BeyondID Can Help

BeyondID, an Okta Platinum Services Partner, can assist organizations to remediate this vulnerability quickly. We have helped thousands of customers successfully acquire, deploy and manage cybersecurity, cloud, and Identity and Access Management platforms, as well as countless integrations. BeyondID is and a proud recipient of Okta’s 2019 Customer Success Award.


Please reach out to us at support@BeyondID.com

Tel: +1 (415) 878 6210,  Email: info@Beyondid.com