Updated: Response to SAML Toolkit Vulnerability Notice

February 27th, 2018   |     |  security & compliance

OneLogin has been the pioneer of secure single sign-on, pushing for the wide adoption of standards such as SAML and OpenID Connect as secure alternatives for password-based authentication. One of OneLogin’s key initiatives has been publishing SAML open source toolkits, also known as libraries, to enable any organization or SaaS vendor to adopt SAML - for free. Today, thousands of SaaS applications leverage OneLogin’s SAML toolkits and thousands more have adopted the standard to secure their users.

These open-source toolkits are completely independent from the OneLogin platform and are maintained by a dedicated team of engineers and the broader developer community. This includes getting feedback on potential improvements and potential security vulnerabilities as well, and we address those as needed. Typically, this process includes posting a CVE identifier, if available, and reaching out to any developer teams that we know are using the toolkit in question.

Earlier today, security researchers from Duo Labs and the US Computer Emergency Response Team Coordination Center (CERT/CC) released security advisories detailing a new SAML vulnerability. As is standard practice, CERT/CC reached out to OneLogin in advance of this publication in order for us to address the impacted OneLogin toolkits, and they provided the CVE identifiers CVE-2017-11427 and CVE-2017-11428. OneLogin prepared patched versions of the impacted toolkits ahead of time, and in coordination with CERT/CC and their security advisory, published them this morning.

It is standard industry practice, upheld by CERT/CC, for vendors to not announce vulnerabilities before the official publication, in order to allow all other vendors in the market to respond and patch their platforms as well to ensure the security of the broader Internet community.

Please note that there is no action required for users of the OneLogin platform itself; the required action is for developers that maintain apps that depend on any of the toolkits listed in the security advisory to use the provided patched versions. As an additional precautionary step, you should contact all the SAML service providers you use to verify their stance on the issue.

Below is a summary of the communications that was shared with toolkit users earlier today:

Security Notice: Vulnerability Note VU#475445

Security researchers from Duo Labs and the US Computer Emergency Response Team Coordination Center (CERT/CC) released security advisories this morning detailing a new SAML vulnerability. CERT/CC reached out to OneLogin in advance of this publication in order for us to address the impacted OneLogin toolkits / libraries, specifically CVE-2017-11427 and CVE-2017-11428.

Once the security advisories were published, we were then allowed to publish our patches located here:



Alvaro Hoyos
CISO, OneLogin

About the Author

Alvaro Hoyos leads OneLogin’s risk management, security, and compliance efforts. He also works with prospects, customers and vendors to help them understand OneLogin’s security, confidentiality, availability, and privacy posture and how it works alongside, or in support of, customer’s own risk management model. Alvaro has over 15 years in the IT sector and prior to joining OneLogin, helped startups, SMBs, and Fortune 500 companies with their security and data privacy compliance efforts. His commentary and articles have been featured in several publications, including CIO, CSO, Network World, Infosecurity, eWeek, and Help Net Security. Alvaro is a member of the Forbes Technology Council and has a B.B.A in M.I.S. and a M.S. in M.I.S. from Florida International University.

View all posts by Alvaro Hoyos

Secure All Your Apps, Users, and Devices