First published on CloudBlogs on Mar, 02 2018
Howdy folks, Recently a security vulnerability was discovered in a number of SAML SSO implementations which makes it possible for a signed SAML token to be manipulated to impersonate another user or to change the scope of a user’s authorization in some circumstances. The vulnerability is described in the finder’s blog, here. Many of you have been asking whether this affects Microsoft identity servers and services. We can confirm that Microsoft Azure Active Directory, Azure Active Directory B2C and Microsoft Windows Server Active Directory Federation Services (ADFS) are NOT affected by this vulnerability. The Microsoft account system is also NOT affected. Additionally, we can confirm that neither the Windows Identity Foundation (WIF) nor the ASP.NET WS-Federation middleware have this vulnerability. While Azure Active Directory and ADFS aren’t affected by this for incoming SAML tokens, you should ensure that any applications you use that consume SAML tokens issued by aren’t affected. We recommend you contact providers of your SAML based applications. Best Regards, Alex
Howdy folks, Recently a security vulnerability was discovered in a number of SAML SSO implementations which makes it possible for a signed SAML token to be manipulated to impersonate another user or to change the scope of a user’s authorization in some circumstances. The vulnerability is described in the finder’s blog, here. Many of you have been asking whether this affects Microsoft identity servers and services. We can confirm that Microsoft Azure Active Directory, Azure Active Directory B2C and Microsoft Windows Server Active Directory Federation Services (ADFS) are NOT affected by this vulnerability. The Microsoft account system is also NOT affected. Additionally, we can confirm that neither the Windows Identity Foundation (WIF) nor the ASP.NET WS-Federation middleware have this vulnerability. While Azure Active Directory and ADFS aren’t affected by this for incoming SAML tokens, you should ensure that any applications you use that consume SAML tokens issued by aren’t affected. We recommend you contact providers of your SAML based applications. Best Regards, Alex
Updated Jul 24, 2020
Version 6.0Alex Simons (AZURE)
Microsoft
Joined May 01, 2017
Microsoft Entra Blog
Stay informed on how to secure access for workforce, customer, and workload identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions.