Transition your #ArcGIS accounts to organization-specific (#SAML or #OpenID Connect) accounts https://tinyurl.com/mr25xhkf

#security #ArcGISAdmin #ArcGISOnline #GIS #esri #WebGIS #GISchat #geospatial #mapstodon @esri @esrifederalgovt @esrislgov @arcgisonline @esritraining

Guten Morgen! Am 11. Juni findet wieder meine ganztägige Keycloak-Schulung statt und es gibt noch ein paar freie Plätze. Die Zielgruppe sind Admin*s, die den von @univention ausgelieferten Keycloak in Verbindung mit UCS einsetzen. SSO-Vorkenntnisse sind nicht nötig. Falls noch jemand teilnehmen möchte, sind hier die Details zur Anmeldung:

https://www.univention.de/training/keycloak/

I became a maintainer of a popular #SAML library for Node.js, "node-saml", which in turn uses "xml-crypto", which in turn is based on XML signatures.

If you are still using SAML for #SSO, be aware there has been string of SAML vulnerabilities related to the fundamentals of how it works and there are likely to be more. You are advised to OIDC instead.

In this thread, I'll discuss some of weaknesses in SAML that have come up repeatedly.

I'm sure there is a simple, totally obvious reason (no trusted central authority problem?) but it seems kind of strange to me that the #Fediverse doesn't allow me to truly use a single login across services via some kind of #FIDO compliant magic, considering that almost everyone is an #infosec person and/or developer. Admittedly, I haven't thought about this too deeply. Also, where's passkey support? #saml #sso

LemonLDAP::NG 2.21 is out!

This new release includes improvements on OpenID Connect and CAS protocols, Loki logger, public notifications and much more.

Read our release notes: https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-21-0-is-out/

@ow2 @worteks_com

These SAMLStorm vulnerabilities have been public for a couple weeks now. Anyone seeing exploitation in the wild? How’s patching going across vendors and infra? #infosec #SAML #NodeJS #AppSec

Hivemind:

Roll your own SAML (like, no IdP)?

GitHub uncovers new Ruby-SAML Vulnerabilities allowing Account Takeover Attacks.

Two high-severity security flaws have been disclosed in the open-source ruby-saml library that could allow malicious actors to bypass Security Assertion Markup Language (SAML) authentication protections.

https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/

another lunchtime update, while I'm taking a break from doing #SAML updates. 4.3.6 #mastoadmin

If you run #gitlab with #SAML authentication, you better upgrade as soon as possible

https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/

USSO is a third-party cookie-based SSO (for now), built to work across multiple domains and businesses. It has been in development for over a year by Mahdi Kiani.

Right now, it's written in Python, but a Go rewrite is coming soon. After the rewrite, OAuth, SAML, and other authentication methods will be added.

For now, USSO doesn’t have a frontend to manage all SSO operations, but everything is available through an API.

A couple of microservices also work with USSO:

A global S3-based file manager

UFAAS, a Function-as-a-Service platform, optimized for Iran

UFAAS currently only supports IRT/IRR currencies and integrates with Iranian payment gateways, but accounts can also be manually charged.

A Rust module for USSO has also been released, making it easier to integrate with Rust-based applications. Additionally, I've recently joined the development team.

USSO is planned to be used on Parch Linux, and detailed deployment documentation will be written for all major platforms, including cloud, Docker, Kubernetes, and Jails.

Mahdi Kiani on X: https://x.com/mahdikiani
Project GitHub: https://github.com/ussoio
The File Manager: https://github.com/ufilesorg
FaaS: https://github.com/ufaasio
profile manager based on usso: https://github.com/uprofile
rustcrate: https://crates.io/crates/usso

Spent the last few days deep in refactoring & code cleanup for #CyMaIS! Today, I finally finished the #SnipeIT role from @grokability Just need to integrate #SAML & #LDAP authentication to complete it.

Check it out here: https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/docker-snipe_it

Check out my other solutions:

#IT Solutions https://cybermaster.space

#AI Solutions https://promptmaster.nexus

#Agile Solutions https://agile-coach.world

One day I will learn enough about #SAML

Im Hinblick auf den Keycloak Identity Provider kann man sich übrigens bei openDesk schön angucken, wie die verschiedenen Clients angebunden sind. Der vorkonfigurierte Keycloak ist auch ein tolles Beispiel für eine möglichst datensparsame/gezielte Freigabe von Nutzerattributen an die angebundenen Anwendungen.

https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/raw/main/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl

Visual explanation of SAML authentication (2020)
https://www.sheshbabu.com/posts/visual-explanation-of-saml-authentication/
#ycombinator #SAML #SSO #Enterprise_Software #Authentication

This is an absolutely brutal takedown of #Microsoft. How they aren't drowning in lawsuits.

I totally understand the resistance to disabling smart card #SSO for the US govt. That's a huge change (but NYPD did it )

But MS should have been working on this non stop to help detect/mitigate. Then to outright lie about when they knew.

How any security professional could say 'well it requires access to the server' as a boundary.

#SolarWinds #ADFS #InfoSec #SAML

https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russian-hackers

What would you choose? Please leave your reason or your thoughts as a comment. #OIDC #OpenIDConnect #Oauth #SAML #Authentication #Security

Was würdet ihr wählen? Der Grund bzw. eure Gedanken dazu bitte als Kommentar. #OIDC #OpenIDConnect #Oauth #SAML #Authentifizierung #Sicherheit #Security

A critical security flaw in GitHub Enterprise Server, known as CVE-2024-4985, allows attackers to bypass authentication and access private data. The issue lies in the SAML SSO (Security Assertion Markup Language Single Sign-On) authentication system, where attackers can send fake SAML responses that the server accepts, even if they're improperly signed. This lets them pretend to be any user, including admins, to access confidential repositories. To protect against this, it's recommended to update GitHub Enterprise Server to version 3.9.15 or later, or temporarily enable SAML certificate pinning. Additionally, monitoring access logs for unusual activities and changing passwords and SSH keys is advised.

https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.15

@da_667 i am testing out at around 85% which is barely enough to pass - i need to test out at 95% to have any real confidence - the last 10% is the toughest but really prospective infosec practitioners get a lot of support and everything is laid out, you just have to take a ton of sample tests and fix weak areas and keep going - psychologically it can be tough since you need a bevy of certs to really have a chance at being semi competent and well rounded but people just do need to slow down and take one step at a time, be rigorous/thorough #howtos #exercises #poc #praxis #saml #taxii #triads