Custom SAML connectors based on the following OneLogin SAML test connectors:
- OneLogin SAML Test (IdP)
- OneLogin SAML Test (IdP w/ attr)
- OneLogin SAML Test (IdP w/ attr w/ sign response)
- OneLogin SAML Test (SP)
- OneLogin WS-Fed Test (SAML 1.1)
- OneLogin WS-Fed Test (SAML 2.0)
Some third party OneLogin configuration recommendations using SAML test connectors:
The SAML Authentication Request Assertion Consumer Service (ACS) URL filter is used to only allow Authentication Requests from legitimate Service Providers (SP). The field to configure the ACS URL was not exposed for customer use in the available Test Connectors. Even though these connectors are not intended for production purposes, they have been leveraged by several customers. A connector with a misconfigured ACS URL filter could be potentially exploited through a sophisticated phishing attack. An improperly configured ACS URL filter could allow an Attacker to retrieve a valid SAML assertion for the Victim and thus be able gain access to the Service Provider as the Victim.
When a Service Provider (SP) initiates SAML authentication, the SP sends an AuthnReq to the Identity Provider (IdP) requesting authorization. Within the AuthnReq is a Assertion Consumer Service URL, which is the endpoint that will ‘consume’ whatever Assertion is generated by the IdP. Without a properly configured ACS URL filter, this means that the SAML Assertion can be sent to a possibly malicious service. If the SAML Assertion is sent to a malicious service, that service can replay the Assertion and thus act on behalf of the targeted user.
Root Cause: The ACS URL filter field was not exposed in the SAML test connectors available in OneLogin app and thus users could not set/change the filter. In addition, certain connectors needed stronger ACS URL filters.
Impact: A misconfigured ACS URL filter could allow an Attacker to assume the identity of a Victim on the Service authenticated against.
Audit: The ACS URL was logged in production log files, so OneLogin was able to confirm that no services were actively being targeted or exploited. OneLogin is adding ACS URL details to Activity Event logging within the application so users can also audit recent ACS URLs authenticated against.
How It Was Found
A OneLogin customer developer noted the flaw when working with these SAML test connectors.
OneLogin manually audited all of our SAML connectors to ensure proper ACS URL filters were setup; this was completed on June 25th, 2014. OneLogin deployed a SAML Test Connector that exposes the ACS URL filter field, so developers can configure ACS URL filters for their custom connectors going forward. Legacy test connectors have been deprecated from the App Connector Catalog, but any custom connectors based on these, will still be operational for their respective accounts.
We will be adding an ‘Event’ to Activity->Events in the OneLogin application interface so users of the application can audit ACS URLs being authenticated against.
There are several instances of third party setup guides. We are working with these third parties to ensure their documentation is up to date and accurate.
Remediation Caveats: Not all applications interact with our SAML connectors the same way and monitoring logs are being actively reviewed for connectivity issues caused by the enhanced filters. Some customers have experienced connectivity issues in the last 48 hours and we have tweaked connectors accordingly. If you experience any issues with any of our SAML connectors, please contact firstname.lastname@example.org.
Required Action Steps
Accounts which have used any of the legacy SAML test connectors to develop their own custom connector, are highly encouraged to migrate those connectors to the new "SAML Test Connector", which is now available in the App Connector Catalog. Test Connectors are not meant for production use.
For more details on this Security Advisory, please contact email@example.com.
- Initial Publication — June 25th, 2014
- Clarified details and required action steps — June 30, 2014
- Updated details and reformat report — July 30, 2014