***This update only applies to account owners that have deployed custom SAML connectors based on legacy SAML test connectors.***
As a follow up to this Security Advisory, in order to reduce the level of effort needed by account owners to update deployed custom SAML connectors based on legacy ones, OneLogin verified that all legacy SAML test connectors now have the ACS URL Validator field available for use. This filter prevents an attacker from using a malicious URL to attempt to steal credential data through a phishing attack.
Fig. 1: validator field now available on legacy test connectors
If you have any custom SAML connectors that are not currently using this field, please update it to use a regular expression to filter out invalid ACS URLs. For example, if the ACS URL is:
the regular expression could be:
As a reminder, the legacy SAML test connectors have been deprecated from the catalog, and going forward account owners should use the "SAML Test Connector" when generating new custom SAML connectors.
If you have any questions, please contact firstname.lastname@example.org or open a support ticket if you need help.