SAML Security Vulnerability

Mon Mar 12, 18 | AAD | Security

Duo Labs announced on Feb 27th that it had discovered a security vulnerability in some SAML SSO providers. The outline of their public post showed how an attacker could authenticate so a SAML SSO provider, and then manipulate the SAML response to allow them to impersonate a user based thanks to different canonicalization algorithms.

As you can imagine this raised serious concerns across the IT industry who relies on SAML for Federated Identity and Authentication services.

On March 2nd, following a review of the issue Microsoft announced that our core products, Azure Active Directory, Azure Active Directory B2C, and Windows Server Active Directory Federation Services are NOT affected by this vulnerability. In addition, any services which utilize Windows Identity Foundation (WIF) and/or ASP.NET WS-Federation as their identity middleware are also NOT affected.