Duo Security Discloses SAML Single Sign On Vulnerabilities

Widely used single sign on protocol could potentially be mis-configured, enabling attackers to easily take over a victim's account.

Two Factor Authentication Ignorance.

Duo Security reported on Feb. 27 that it discovered a series of vulnerabilities in widely-used Security Assertion Markup Language (SAML) implementations.

SAML is used by many different vendors to help enable single sign on (SSO) and federation capabilities across different services. Duo Security worked with CERT to help alert impacted vendors which include Okta, OneLogin, OmniAuth, Clever Inc and the Shibboleth Consortium among others.

"Multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers," CERT warns in its advisory.

Kelby Ludwig, Senior Application Security Engineer at Duo Security explained that with a properly configured SAML setup, logging in correctly to one application can provide access to multiple additional applications in an SSO deployment. Ludwig warned that the SAML vulnerability enables attackers to tamper with a SAML message in order to authenticate themselves as any user.

"The exploitation of the issue we discovered is fairly easy and in most cases it just requires the insertion of seven characters to a request being passed through a web browser," Ludwig told eWEEK.

The actual vulnerabilities that Duo Security discovered are not flaws in the SAML protocol itself, but rather are implementation flaws. However, Ludwig said that the vulnerable SAML implementations were found in multiple SAML libraries including OneLogin's python-saml and ruby-saml, Clever's saml2-js, OmniAuth-SAML and Shibboleth openSAML C++.

To date, Ludwig said that Duo Security has seen no indication that the SAML flaws have been exploited by attackers in the wild.

"We have also not seen any indication that this vulnerability has ever been discussed before either," Ludwig said.

Steve Manzuik, Director of Security Research at Duo Security explained that his company co-ordinated with CERT to help get the issues patched in order to help mitigate risk.  As SAML is widely used, he noted that there is potentially a wider impact from smaller organizations that use the impacted libraries, that CERT might not have contacted.


A common technique that is often used by attackers and security researchers is to attempt to 'replay' or re-use credentials or tokens in an attempt to exploit a system. Ludwig explained that the SAML issues he discovered don't quite fit into the standard definition of how a replay attack works.

"A replay attack is close but it's not quite the same," Ludwig said. "What this vulnerability does is it lets an attacker take a SAML message in its original form and then tampers with it, to get a different user's access."


Ludwig noted that the SAML flaws should all be patched on the server-side, by impacted services. 

For end-users, Ludwig suggests that organizations that are unsure if their SAML implementation is at risk or needs to patch to check with their SAML service provider. Another way to help mitigate the risk of the SAML flaw is by using two-factor authentication (2FA) to further harden access control.

"If the SAML service provider enforces 2FA then it does somewhat mitigate the risk of the vulnerability," Ludwig said. 

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.