Thanks for the heads up! I took a quick read through the paper and it looks like they'll be releasing their tool to the open source community. We should *definitely* run it against CAS. My guess was they were targeting more of the SAML2.0 frameworks, of which we currently really only integrate with Google Apps right now.
On Fri, Aug 10, 2012 at 9:32 AM, Robert Oschwald < robertoschw...@googlemail.com> wrote: > > http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/03/BreakingSAML.pdf > is an attack report to several SAML based SSO systems to be presented at > USENIX, today. > > Most of the 14 systems are vulnerable to XML Signature Wrapping Attacks > (OpenSAML through a flaw in Xerces). > > CAS was not one of the attacked systems, but it might be a good idea to > security review the SAML parts. > > > Robert > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > scott.battag...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
