Learnings am Wegesrand: Für die Signierung und Verschlüsselung von #SAML-Metadaten nutzt man wegen der häufigen Rotationen und fehlender Automatisierungsmöglichkeit bei Kommunikationspartnern ja meist keine Letsencrypt-Zertifikate. Gestern dachte ich, ach für diesen kurzen Test geht’s mal. Und dann habe ich lange nach dem Fehler gesucht und gemerkt, dass Letsencrypt inzwischen EC-Schlüssel statt RSA generiert,mit denen der #Shibboleth SP nicht signieren kann. #til #sso #singlesignon

These SAMLStorm vulnerabilities have been public for a couple weeks now. Anyone seeing exploitation in the wild? How’s patching going across vendors and infra? #infosec #SAML #NodeJS #AppSec

Du verwendest #SAML #Authentifizierung?
Die letzten #Mastodon #Releases enthalten wichtige Sicherheitsupdates.
https://github.com/mastodon/mastodon/releases

Hivemind:

Roll your own SAML (like, no IdP)?

GitHub uncovers new Ruby-SAML Vulnerabilities allowing Account Takeover Attacks.

Two high-severity security flaws have been disclosed in the open-source ruby-saml library that could allow malicious actors to bypass Security Assertion Markup Language (SAML) authentication protections.

https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/

GitLab naprawia podatności związane z biblioteką ruby-saml

GitLab ogłosił wydanie nowych wersji oprogramowania. Aktualizacja dotyczy zarówno Community Edition, jak i Enterprise Edition. Poprawione wersje to  17.9.2, 17.8.5 oraz 17.7.7. Najważniejsza poprawka dotyczy dwóch podatności (CVE-2025-25291, CVE-2025-25292), zgłoszonych w bibliotece ruby-saml, która jest wykorzystywana przez GitLab do SAML SSO (security assertion markup language; single sign-on). W pewnych okolicznościach...

#WBiegu #Cve #Gitlab #Graphql #Podatności #Rce #Ruby #Saml

https://sekurak.pl/gitlab-naprawia-podatnosci-zwiazane-z-biblioteka-ruby-saml/

another lunchtime update, while I'm taking a break from doing #SAML updates. 4.3.6 #mastoadmin

GitLab's Critical Vulnerability Fixes: What You Need to Know

https://thedefendopsdiaries.com/gitlabs-critical-vulnerability-fixes-what-you-need-to-know/

#gitlab
#cybersecurity
#vulnerability
#saml
#authenticationbypass

Deux vulnérabilités (CVE-2025-25291, CVE-2025-25292) permettent de contourner l’authentification SAML (SSO) sur GitHub et GitLab via une attaque par « signature wrapping ».
Un attaquant disposant d'une signature valide pourrait ainsi se connecter sous l’identité d’un autre utilisateur. La prudence est de mise, surtout qu’un gang spécialisé dans les ransomwares a récemment ciblé ces plateformes. L’exploitation active est à ce jour inconnue.

GitLab recommande fortement la mise à jour vers 17.9.2 :

https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/

GitHub – Sign in as anyone (détails techniques) :

https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/

#Cyberveille
#vulnerabilite
#GitHub
#GitLab
#SAML
#CVE_2025_25291
#CVE_2025_25292

If you run #gitlab with #SAML authentication, you better upgrade as soon as possible

https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/

USSO is a third-party cookie-based SSO (for now), built to work across multiple domains and businesses. It has been in development for over a year by Mahdi Kiani.

Right now, it's written in Python, but a Go rewrite is coming soon. After the rewrite, OAuth, SAML, and other authentication methods will be added.

For now, USSO doesn’t have a frontend to manage all SSO operations, but everything is available through an API.

A couple of microservices also work with USSO:

A global S3-based file manager

UFAAS, a Function-as-a-Service platform, optimized for Iran

UFAAS currently only supports IRT/IRR currencies and integrates with Iranian payment gateways, but accounts can also be manually charged.

A Rust module for USSO has also been released, making it easier to integrate with Rust-based applications. Additionally, I've recently joined the development team.

USSO is planned to be used on Parch Linux, and detailed deployment documentation will be written for all major platforms, including cloud, Docker, Kubernetes, and Jails.

Mahdi Kiani on X: https://x.com/mahdikiani
Project GitHub: https://github.com/ussoio
The File Manager: https://github.com/ufilesorg
FaaS: https://github.com/ufaasio
profile manager based on usso: https://github.com/uprofile
rustcrate: https://crates.io/crates/usso

If only there was a way of checking if a protocol element was modified during transmission.

just encrypting seems like kicking the can down the road

#aws #saml

https://aws.amazon.com/about-aws/whats-new/2025/02/aws-iam-encrypted-saml-assertions/

Spent the last few days deep in refactoring & code cleanup for #CyMaIS! Today, I finally finished the #SnipeIT role from @grokability Just need to integrate #SAML & #LDAP authentication to complete it.

Check it out here: https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/docker-snipe_it

Check out my other solutions:

#IT Solutions https://cybermaster.space

#AI Solutions https://promptmaster.nexus

#Agile Solutions https://agile-coach.world

LemonLDAP::NG 2.20.2 has been released!

https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-20-2-is-out/

This version includes some security fixes

#IAM #SSO #lemonldap #lemonldapng #CAS #SAML #OpenIDConnect #OpenSource #FreeSoftware #Perl

@ow2 @PerlRakuFoundation @Perl

[Перевод] Аутентификация в WordPress через OpenAM по протоколу SAMLv2

SAMLv2 , не смотря на почтенный возраст, является стандартом де факто для SSO (Single Sign On) в корпоративной среде. И в этой статье мы настроим вход в WordPress по протоколу SAML используя аутентификацию OpenAM . То есть, при аутентификации в WordPress, пользователи будут перенаправлены в OpenAM и, после аутентификации в OpenAM будут автоматически аутентифицированы в WordPress. Учитывая гибкость OpenAM в настройке способов аутентификации, вы можете настроить вход в WordPress не только по логину и паролю, но еще, например, используя встроенную аутентификацию Windows (NTLMv2 или Kerberos), добавить второй фактор аутентификации (биометрию или одноразовый код) или даже фотографируя QR код в специальном мобильном приложении.

https://habr.com/ru/articles/865402/

One day I will learn enough about #SAML

Could we please, please, PLEASE agree on /.well-known/saml/metadata.xml ? Yes?

In Eurem UCS läuft nach der Keycloak-Anbindung die Portal-Session ständig ab? Jeder Client kann in Keycloak eine eigene Session Lifetime haben, unabhängig von den globalen Token Lifetime im Realm.

So stellt Ihr 10 Stunden ein:

univention-keycloak saml/sp update https://portal.example.org/univention/saml/metadata '{"attributes": {"saml.assertion.lifespan": "36000"}}'

In der Oberfläche: Clients -> Portal -> Reiter "Erweitert" -> Runterscrollen -> "Assertion Lifespan".

LemonLDAP::NG 2.20.1 has been released!

https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-20-1-is-out/

This version includes some security fixes

#IAM #SSO #lemonldap #lemonldapng #CAS #SAML #OpenIDConnect #OpenSource #FreeSoftware #Perl

@ow2 @Perl