>From the thread on this on shibboleth-dev: http://shibboleth.net/community/advisories/secadv_20110725.txt
On Fri, Aug 10, 2012 at 9:37 AM, Scott Battaglia <[email protected]>wrote: > Thanks for the heads up! I took a quick read through the paper and it > looks like they'll be releasing their tool to the open source community. > We should *definitely* run it against CAS. My guess was they were > targeting more of the SAML2.0 frameworks, of which we currently really only > integrate with Google Apps right now. > > > On Fri, Aug 10, 2012 at 9:32 AM, Robert Oschwald < > [email protected]> wrote: > >> >> http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/03/BreakingSAML.pdf >> is an attack report to several SAML based SSO systems to be presented at >> USENIX, today. >> >> Most of the 14 systems are vulnerable to XML Signature Wrapping Attacks >> (OpenSAML through a flaw in Xerces). >> >> CAS was not one of the attacked systems, but it might be a good idea to >> security review the SAML parts. >> >> >> Robert >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-dev >> >> > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
