Duo Labs has found SAML protocol vulnerabilities that impact multiple vendor single sign-on (SSO) systems.
The Security Assertion Markup Language, SAML, is a popular standard used in SSO systems that allow users to login to multiple websites with same user name and password.
According to the Duo blog post, the SAML vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password.
Multiple vendor products were impacted to include Duo Network Gateway, OneLogin, Clever, OmniAuth-SAML and Shibboleth.
Users should update as soon as possible affected SAML-based SSO systems to patch the vulnerabilities. Duo has released updates for the Duo Network Gateway in version 1.2.10.