Change Details

Placeholder task. See T8787. See also <https://github.com/rohe/pysaml2/issues/451> for another example of the perplexing track record of SAML implementations.

Placeholder task. See T8787. --- SAML and the SAML ecosystem have a perplexing track record: **Signature Wrapping**: A 2012 paper ([[ https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/somorovsky | Somorovsky 2012]]) found a major vulnerability in 11 of 14 major SAML frameworks. **GitHub Enterprise**: GitHub implemented and shipped a version of SAML that didn't actually check signatures ([[ http://www.economyofmechanism.com/github-saml.html | see writeup ]]). GitHub's implementation was also vulnerable to the attack described by Somorovsky, above, despite being implemented four years after the attack was disclosed. **OneLogin**: OneLogin, the SAML provider we've seen the greatest interest in from users, suffered [[ https://arstechnica.com/information-technology/2017/06/onelogin-data-breach-compromised-decrypted/ | a major breach in May 2017 ]]. **Pysaml2**: `pysaml2` used an [[ https://github.com/rohe/pysaml2/issues/451 | assert to do password checks ]], so passwords were not checked with optimizations enabled. (I'm not sure this library is terribly widely deployed, but it has almost 3K commits and 67 contributors at time of writing.)

Placeholder task. See T8787. See also <https://github.com/rohe/pysaml2/issues/451> for another example of the perplexing track record of SAML implementations.--- SAML and the SAML ecosystem have a perplexing track record: **Signature Wrapping**: A 2012 paper ([[ https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/somorovsky | Somorovsky 2012]]) found a major vulnerability in 11 of 14 major SAML frameworks. **GitHub Enterprise**: GitHub implemented and shipped a version of SAML that didn't actually check signatures ([[ http://www.economyofmechanism.com/github-saml.html | see writeup ]]). GitHub's implementation was also vulnerable to the attack described by Somorovsky, above, despite being implemented four years after the attack was disclosed. **OneLogin**: OneLogin, the SAML provider we've seen the greatest interest in from users, suffered [[ https://arstechnica.com/information-technology/2017/06/onelogin-data-breach-compromised-decrypted/ | a major breach in May 2017 ]]. **Pysaml2**: `pysaml2` used an [[ https://github.com/rohe/pysaml2/issues/451 | assert to do password checks ]], so passwords were not checked with optimizations enabled. (I'm not sure this library is terribly widely deployed, but it has almost 3K commits and 67 contributors at time of writing.)