On 27th February 2018, Duo announced the discovery of a new vulnerability class that affects SAML-based single sign-on (SSO) systems. The issue is described in the announcement linked above. This affects SAML Service Providers (SP) across a range of different software implementations. Identity Provider (IdP) software is unaffected but IdP organisations should be aware of the potential issues.
The Shibboleth project has issued a security advisory, and an updated version of the Shibboleth Project’s XMLTooling library is available which corrects this issue. The Shibboleth vulnerability has been assigned CVE-2018-0489 and is referenced by a CERT Vulnerability Note. Shibboleth deployers are encouraged to sign-up to the shibboleth-announce list in order to receive security announcements as soon as available.
Other software known to be affected is listed in the announcement by Duo.