Pantheon has released a new version of our WP SAML Auth WordPress plugin. This release adds a notification for a recently discovered vulnerability in the SimpleSAMLphp library that can expose sites to SSO (Single Sign-On) forgery or impersonation.
This vulnerability affects only a small minority of WP SAML Auth implementations because the plugin defaults to a more modern library, OneLogin PHP SAML. Only sites configured with an outdated version of the SimpleSAMLphp library are vulnerable.
The update to WP SAML Auth includes a warning message displayed in the WordPress admin if a vulnerable version of SimpleSAMLphp is detected with instructions to install SimpleSAMLphp 2.3.7 or higher. Since the migration from the previous and most vulnerable versions of SimpleSAMLphp (1.x) to a newer and more secure version (2.x or above) can be onerous, some teams may prefer to switch from SimpleSAMLphp to the default of the plugin, OneLogin PHP SAML than to upgrade SimpleSAMLphp.
When a version of SimpleSAMLphp older than 2.0.0 is detected, an error notice is displayed in the WordPress admin on every page. An option has been added that can be used to disable SAML-based authentication entirely if the version of the library is in this critical state. When a version of SimpleSAMLphp older than 2.3.7 is detected, that notice is downgraded to a warning, but is still visible across all admin pages until SimpleSAMLphp has been upgraded. If the version could not be detected, a warning message appears on the WP SAML Auth admin page.
Action required
You are encouraged to upgrade your version of WP SAML Auth to the latest version as soon as possible so you know with certainty whether your site is vulnerable. If you see the notice in your dashboard, we recommend that you upgrade to the latest version of SimpleSAMLphp immediately.
If you have questions or concerns, please open issues in the queue for the plugin.