SolarWinds Orion customers have suffered some network compromises according to news reports.
One report says, right at the end of the article, that SAML2.0 signing certificates may have been compromised.
From the point of view of a SAML service provider (that's me!), this means attackers can spoof Assertions (credentials) to our service. Our customers definitely don't want that. Neither do we.
It seems likely our customers who
- use SAML and
- were hit by those attackers
will want to change their SAML public keys on our system and systems like it. Quickly!
The CA and certificate revocation stuff built in to the browser TLS won't help: many of these SAML signing certificates are self-signed; they're just used for crypto key exchange for document signatures.
For this specific kind of infosec emergency are there any best practices for handling this sort of cross-system mass scale cert update? I'd even want to see some actual practices...