On 27th February 2018, Duo announced the discovery of a new vulnerability class that affects SAML-based single sign-on (SSO) systems.  The issue is described in the announcement linked above.  This affects SAML Service Providers (SP) across a range of different software implementations.  Identity Provider (IdP) software is unaffected but IdP organisations should be aware of the potential issues.

The Shibboleth project has issued a security advisory, and an updated version of the Shibboleth Project’s XMLTooling library is available which corrects this issue.  The Shibboleth vulnerability has been assigned CVE-2018-0489 and is referenced by a CERT Vulnerability Note.  Shibboleth deployers are encouraged to sign-up to the shibboleth-announce list in order to receive security announcements as soon as available.

Other software known to be affected is listed in the announcement by Duo.

Any eduGAIN participants with concerns should reach out to their home federation in the first instance or contact edugain-support if unsure where to contact.