CAF – Security Bulletin for SAML2 Service Providers

A new flaw has been found in the XML processing performed by various SAML Service Providers.

Advisory Summary

The Shibboleth Service Provider software and other SAML implementations are vulnerable to forged user attribute data, which could facilitate user impersonation that exposes protected information.

To mitigate the risk, we urge Service Providers participating in CAF or using the software local to their institution to act swiftly on the guidance in the advisory for their vendor.  As before, the use of XML Encryption, which is part of the SAML protocol, is a significant mitigation. Deployers should prioritize patching systems that expect to handle unencrypted SAML assertions using Service Provider software impacted by this advisory.

Recommended Mitigation Actions

If using Shibboleth Service provider software: Upgrade to V1.6.4 or later of the XMLTooling-C library and restart the affected processes (shibd, Apache, etc.)
If using other Service Provider software: Review your vendor notifications and DUO Security blog below

Additional Details

For Shibboleth:
Informative blog on the topic of the risk:


Contact CAF Support at [email protected].