Skip to Content.
Sympa Menu

inc-ops-notifications - [InCommon NOTICE] SimpleSAMLphp security advisory for IdP functionality

Subject: InCommon Operations Notifications

List archive

[InCommon NOTICE] SimpleSAMLphp security advisory for IdP functionality


Chronological Thread 
  • From: Nick Roy <>
  • To: <>
  • Subject: [InCommon NOTICE] SimpleSAMLphp security advisory for IdP functionality
  • Date: Mon, 19 Dec 2016 12:01:38 -0500
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:pryaixAj6U39ZfjG8cTqUyQJP3N1i/DPJgcQr6AfoPdwSPTzoMbcNUDSrc9gkEXOFd2CrakV0KyJ7OuxBiQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9GiTe5b75+Nhe7oAfeusQSg4ZpN7o8xAbOrnZUYepd2HlmJUiUnxby58ew+IBs/iFNsP8/9MBOTLv3cb0gQbNXEDopPWY15Nb2tRbYVguA+mEcUmQNnRVWBQXO8Qz3UY3wsiv+sep9xTWaMMjrRr06RTiu86FmQwLuhSwaNTA27XvXh9RugqxbvRyvpBJxzIDbb46JNfpzZbnScc8ASGdbQspcWS5MD4WhZIUPFeoBOuNYopHlqVsPsRS+BhSnCv/oyj5Im3T72qs60/4mEQDGxwEgHtQOsGjKo9XvMqcdT/y1wLfSwTrdcvxWxC7w5Y7VeR4vpvGMWKh/ccvXyUQ3DAPFj1CQqZThPzyLzeQCqW2b7+54VeKvk24rsQZxoiKgxsoql4LHhZoVx0jZ+Sllz4s5P9K1RUxhbdOrDJdcrTyWO5Z4T886Xm1kpiU3xqcbtZKneCUG0pUqyhHFZ/GDfIWF5A/oWvyLLjdinn1lfaqyhxas/kikze3xTtG63UpNoCZZnNTAr24A2QXO5sSeTfty5Vmu1SyI1wDO9uFLOkc0lbfdK5E82LIwjoATsUPfHiDohEr2kK6WdkIi+uSy7OTnf6nmppubN49ziQHyKLghmsu6AeggMwgOWXaU+fik2bH+4UH0T69Gg/I0n6XDv53WOd4XqrOkDwJbyooj7gywDzai0NQWh3kHK1dFdQqBj4jzPFHPIOv1Dfa5g1Swjjhr3fbGMaP9ApnTNHTMjqrufatl505G1AUz1cxf545TCrwZIfLzXFP+tNvdDh88NAy0xfzrCNJn1oMRQG6PA6mZP7/LvV+P/uIvOPCAZIkSuDbhKvgl6f/ugmMjll8BfKmp2p0XaGujE/RiIkWZembsgswfHWsQvwo+SvDqh0OYUT5VeXmyQ7ww6islB427EIeQDryq1eiA2iz+GYVNI2ZBFlGCEHzha4SDXewkaSSZJcpklTpCUqKuHdwPzxar4Sn7wLkvFO3Fsnker5Xy/Nlz++DJkxwur3p5A9nLgDLFdH19gm5dH2x+56t4u0Eoklo=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Hello,


The SimpleSAMLphp project recently disclosed a security issue in SimpleSAMLphp versions earlier than 1.14.11, configured to act as an Identity Provider (IdP), which could cause the unintentional release of the same value for SAML 2 persistent NameID and eduPersonTargetedID for all users.  This issue, if triggered, can cause users from an affected IdP to gain access to protected content at federated SPs intended for other authorized users from the same IdP.


Deployers of this software should examine their SimpleSAMLphp configuration carefully, and upgrade as soon as possible to the newest version of the product.


More detailed info on the issue, triggers, and remediation may be found at:


https://simplesamlphp.org/security/201612-04


Best regards,


Nick Roy on behalf of InCommon Operations



  • [InCommon NOTICE] SimpleSAMLphp security advisory for IdP functionality, Nick Roy, 12/19/2016

Archive powered by MHonArc 2.6.19.

Top of Page