The attackers then insert a second, fake assertion–claiming to be an admin–into the already obtained, signed XML snippet. Owing to lax parsing rules in samlify versions prior to 2.10.0, the service provider ends up processing the attacker’s fake, unsigned identity along with the original signature.
Endor Labs researchers warned that this flaw opens the door to SAML SSO bypass and is easy to exploit as the “attack complexity is low”, “no privileges are required”, and “no user interaction is needed”. Additionally, the requirement for obtaining a signed XML was noted as “realistic”.
SAML authenticators should update to patched versions
The flaw has been addressed through patches in samlify versions 2.10.0 and later.