We have a customer that is using Ping Identity to access our IDP SAML servers. It appears there was a security fix from an advisory in August 2021 (SECADV028) that they put into place. The security fix says, “We have discovered that PingFederate is vulnerable to XML XXE and DTD processing vulnerabilities that allow an attacker to chain specially-crafted requests to exfiltrate configuration files including decryption keys.”
After putting this fix into place, the customer is no longer able to access our services. We see the following in our logs:
ComponentSpace.SAML2 Verbose: 0 : 4980/12: 3/21/2022 8:04:26 AM: Verifying the SAML response signature.
ComponentSpace.SAML2 Verbose: 0 : 4980/24: 3/21/2022 8:04:26 AM: Verifying the SAML response signature.
ComponentSpace.SAML2 Verbose: 0 : 4980/24: 3/21/2022 8:04:26 AM: Retrieving the signature certificates for the partner identity provider https://xxxxxxxxxxxxxxx.com.
ComponentSpace.SAML2 Verbose: 0 : 4980/12: 3/21/2022 8:04:26 AM: Retrieving the signature certificates for the partner identity provider https://xxxxxxxxxxxxxxx.com.
ComponentSpace.SAML2 Verbose: 0 : 4980/24: 3/21/2022 8:04:26 AM: Loading the X.509 certificate from the file c:\filelocation-obfuscated..
ComponentSpace.SAML2 Verbose: 0 : 4980/24: 3/21/2022 8:04:26 AM: The X.509 certificate with subject name CN=xxxxx, OU=IT Security, O=Company Name, L=City, S=State, C=US and serial number 9167CF0B0000 has been loaded.
ComponentSpace.SAML2 Verbose: 0 : 4980/24: 3/21/2022 8:04:26 AM: The X.509 certificate with subject name CN=xxxxx.xxxx.com, OU=IT Security, O=Company Name, L=City, S=State, C=US and serial number 9167CF0B0000 has been cached.
ComponentSpace.SAML2 Verbose: 0 : 4980/12: 3/21/2022 8:04:26 AM: The X.509 certificate with subject name CN=xxxxx.xxxx.com, OU=IT Security, O=Company Name, L=City, S=State, C=US and serial number 9167CF0B0000 has been retrieved from the cache.
ComponentSpace.SAML2 Verbose: 0 : 4980/24: 3/21/2022 8:04:26 AM: The X.509 certificate with subject name CN=xxxxx.xxxx.com, OU=IT Security, O=Company Name, L=City, S=State, C=US and serial number 9167CF0B0000 is being used to verify the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 4980/12: 3/21/2022 8:04:26 AM: The X.509 certificate with subject name CN=xxxxx.xxxx.com, OU=IT Security, O=Company Name, L=City, S=State, C=US and serial number 9167CF0B0000 is being used to verify the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 4980/12: 3/21/2022 8:04:26 AM: Verifying the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 4980/24: 3/21/2022 8:04:26 AM: Verifying the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 4980/12: 3/21/2022 8:04:26 AM: Failed to verify the XML signature.
The customer says that they dealt with this before with another vendor and that it was special characters that were not processed correctly by the IDP SAML Service.
Has anyone encountered this before and have any ideas on what could be happening?
Thanks for any help!