On February 27, 2018 Duo Labs posted a blog article that detailed a vulnerability class that impacts many SAML SSO implementations. For reference see:
"This blog post describes a new vulnerability class that affects SAML-based single sign-on (SSO) systems. This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password."
More information on these vulnerabilities can be found on the pages linked below:
Forum Sentry is an API Security Gateway that is often deployed as a cyber-secure Identity Policy Enforcement Point (PEP).
Forum Sentry is a cyber security hardened product, and has a built-in cyber-secure SAML SSO Identity Provider (IdP) component. Forum Sentry is *not* impacted by any of the recent SAML SSO related CVEs called out by the Duo Labs findings.
A key differentiator of Forum Sentry API Security Gateway technology is that it combines API Security with cyber-secure Identity Policy Enforcement Points for the strongest protection available.
Advantages of using Forum Sentry for Identity, Access Control, and SSO:
- Combined, centralized Identity Enablement and Translation
- Combined RBAC, ABAC, and CBAC
- Multi-Factor identity
- Universal, vendor agnostic support of modern identity formats
- Built-in adapters to all modern IdM systems
- Full integrated support for SSO including SAML & OAuth client and token servers
- Multi-Context Identity (using the protocol and the payload data)
- Extensible authentication APIs for no-code integration to other 3rd party authorization systems