SAML vulnerability VU#475445 - March 2018



Security researchers from Duo Labs and the US Computer Emergency Response Team Coordination Center (CERT/CC) released security advisories detailing a new SAML vulnerability Oomnitza utilizes the python-saml open source library and is affected by this vulnerability. To resolve this issue a patch will be deployed for all systems by Monday, March 5, 2018.


By modifying SAML content without invalidating the cryptographic signature, a remote, unauthenticated attacker may be able to bypass primary authentication for OneLogin and other affected SAML service providers. Oomnitza does not have any indication that the vulnerability was exploited in our systems.

Customer Required Action

No action steps are required on your part. If you have any questions, please contact

Mitigating The Vulnerability

If possible, it is recommended to temporarily disable OneLogin SAML support in the settings until the patch is deployed by March 5, 2018. If this is not possible, system operations engineers can configure a whitelist of accepted networks and domain names to limit who can authenticate to the application.



The Oomnitza Team
Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk