Single Sign-on (SSO) Vulnerabilities for various SAML libraries
Updated March 15, 2018
Multiple vulnerabilities have been reported related to how Single sign on (SSO) vendors and SAML libraries use the SAML protocol.
CVE-2017-11427 - OneLogin’s "python-saml"
CVE-2017-11428 - OneLogin’s "ruby-saml"
CVE-2017-11429 - Clever’s "saml2-js"
CVE-2017-11430 - "OmniAuth-SAML"
CVE-2018-0489 - Shibboleth openSAML C++
Coupa allows customers to configure SSO integration using SAML with their identity providers. Coupa uses a commercial vendor to implement the SAML service provider functionality within the product. The vendor used by Coupa is not vulnerable to the reported vulnerabilities.