9

SolarWinds Orion customers have suffered some network compromises according to news reports.

One report says, right at the end of the article, that SAML2.0 signing certificates may have been compromised.

From the point of view of a SAML service provider (that's me!), this means attackers can spoof Assertions (credentials) to our service. Our customers definitely don't want that. Neither do we.

It seems likely our customers who

  1. use SAML and
  2. were hit by those attackers

will want to change their SAML public keys on our system and systems like it. Quickly!

The CA and certificate revocation stuff built in to the browser TLS won't help: many of these SAML signing certificates are self-signed; they're just used for crypto key exchange for document signatures.

For this specific kind of infosec emergency are there any best practices for handling this sort of cross-system mass scale cert update? I'd even want to see some actual practices...

schroeder
  • 123,438
  • 55
  • 284
  • 319
O. Jones
  • 359
  • 1
  • 4
  • Prediction: you'll be answering this yourself in a couple days once you've figured out the best solution :) – Conor Mancone Dec 15 '20 at 14:44
  • 2
    Use SAML implementations that understand how to use your partner's metadata endpoints for updating your stack's certificates. This is the only mechanism that you possibly have beyond manual coordination. – Andrew K. Dec 15 '20 at 16:00

0 Answers0