Researchers have uncovered fresh techniques for breaking SAML-based authentication, further undermining the security assurances offered by the aging by still widely used authentication protocol.
SAML (Security Assertion Markup Language) has been the backbone of enterprise single sign-on (SSO) technologies for more than 20 years.
During a presentation at the Black Hat Europe conference on Wednesday, PortSwigger security researcher Zak Fedotkin demonstrated novel techniques for breaking the protocol by exploiting subtle flaws in XML handling.
Hacks developed by Fedotkin offered a way of achieving full authentication bypass in the Ruby and PHP SAML ecosystems.
Multiple security weaknesses were in play and these opened the door for the development of attribute pollution, namespace confusion, and a new class of void canonicalization attacks, among others, as detailed in a blog post by PortSwigger.
The presentation, which built on earlier research into the security shortcomings of SAML, included a demo of an attack on a vulnerable GitLab Enterprise Edition 17.8.4 instance.
Exploiting several parser-level inconsistencies offered a way to develop reliable, stealthy exploits against multiple other SAML implementations.
Attacks were possible because multiple hacking techniques allowed potential attackers to completely bypass XML signature validation while still presenting a valid SAML document to an application.
By combining a Ruby-SAML exploit with earlier research, the PortSwigger team were able to bypass email access controls to create a forged SAML Response, set up a new account, and ultimately bypass authentication on an as yet unnamed SaaS platform.
Fedotkin has released an open-source toolkit designed to identify and exploit these vulnerabilities in other real-world SAML deployments.
Patching necessary but insufficient without ‘foundational rework’
PortSwigger shared details of Ruby-SAML 1.12.4 vulnerability with the maintainer in April. The corresponding CVE-2025-66568 and CVE-2025-66567 vulnerabilities were fixed in early December.
Security teams need to make sure that SAML and XML security libraries are up to date by applying the latest security patches and version updates but this may not go far enough. OAuth offers a newer technology for offering SSO that is better maintained and with fewer inherent security weaknesses than SAML but simply switching isn’t a practical answer for most because of the huge and long-established base of service providers that rely on SAML, Fedotkin told CSO.
The researcher said that comprehensive and lasting remediation requires significant restructuring of existing SAML libraries.
“Such changes may introduce breaking compatibility issues or regressions, but they are essential to ensure the robustness of XML parsing, signature validation, and canonicalization logic,” Fedotkin concluded. “Without this foundational rework, SAML authentication will remain vulnerable to the same classes of attacks that have persisted for nearly two decades.”
No Responses