cyberowy2h ago

🚨 Luka w samlify (CVE-2026-46490): Eskalacja uprawnień w systemach SSO Node.js

Wykryto lukę w popularnej bibliotece `samlify` do obsługi SAML. Umożliwia ona eskalację uprawnień przez wstrzyknięcie XML, co stanowi ryzyko dla polskich firm używających Node.js do uwierzytelniania.

https://cyberowi.pl/luka-w-samlify-cve-2026-46490-eskalacja-uprawnien-w/

#cve #nodejs #saml #sso

#cyberbezpieczenstwo

viq1d ago

#Jellyfin #SSO plugin https://github.com/9p4/jellyfin-plugin-sso has been archived ("I'm tired of working on this after all the years", which, fair).
But it looks like it was forked into https://github.com/eddymoulton/jellyfin-plugin-oidc and development contiues, limiting itself to #OIDC but without #SAML
Nice!

#SelfHost #SelfHosting #HomeLab

GitHub - 9p4/jellyfin-plugin-sso: This plugin allows users to sign in through an SSO provider (such as Google, Microsoft, or your own provider). This enables one-click signin.

This plugin allows users to sign in through an SSO provider (such as Google, Microsoft, or your own provider). This enables one-click signin. - 9p4/jellyfin-plugin-sso

GitHub
Rubén Santos García2d ago
Enterprise SSO with SAML: one XML signature wrapping attack = access to every app in scope. This week I broke down XSW variants, void canonicalization bypass, NameID comment injection, and attribute-based escalation. Five quick checks that cover most real-world SAML bugs, all automatable with SAMLRaider. https://www.kayssel.com/newsletter/issue-54/
#InfoSec #CyberSecurity #Pentesting #BugBounty #OffSec #SAMl #SSo
SAML SSO Exploitation: Breaking the Trust Chain

XML signature wrapping variants, void canonicalization bypass, NameID comment injection, SAML attribute injection, and token replay against enterprise SSO

Kayssel
Show threadviq5d ago

@homelab OK, after playing around a tiny bit, it seems that the code for this exists in #KaniDM
- https://github.com/kanidm/kanidm/pull/2968
- https://github.com/kanidm/kanidm/pull/3535/
but what doesn't exist is ability to reach it and set that up for a user. Oh well.

#Privacy #Security #SelfHosting #SSO

20240810 application passwords by Firstyear · Pull Request #2968 · kanidm/kanidm

Supersedes #2578 Relates #41 This rebases the PR to latest master, and I'll do the remaining review items. Checklist [ x ] This PR contains no AI generated code [ x ] cargo fmt has been run c...

GitHub
DigitalEscapeTools5d ago

Authentik is an open-source identity provider that brings single sign-on (SSO) to your self-hosted services.

Manage access to apps like Jellyfin, Immich, Nextcloud, Vaultwarden, and more from one place, with support for OAuth2, OIDC, SAML, LDAP, and other authentication standards.

A powerful tool for anyone running a homelab or self-hosted infrastructure.

👉 https://digitalescapetools.com/tools/tool.html?id=authentik

#OpenSource #SelfHosted #Authentik #SSO #Homelab #Privacy #FOSS

Self-Hosted Feed5d ago

🔐 voidauth/voidauth

Single Sign-On for Your Self-Hosted Universe

Provides SSO authentication and user management for self-hosted apps with OIDC, LDAP, MFA and passkeys

⭐ Stars: 2152
📅 Last Update: Jun 10, 2026

https://github.com/voidauth/voidauth

#selfhosted #homelab #selfhost #selfhosting #opensource #sso #authentication

GitHub - voidauth/voidauth: Single Sign-On for Your Self-Hosted Universe

Single Sign-On for Your Self-Hosted Universe. Contribute to voidauth/voidauth development by creating an account on GitHub.

GitHub
Super Owl6d ago
After trying #Keycloak for a while - trying to integrate it with ForgeJo for Single-Sign-On (#SSO), I wasn't really satisfied with Keycloak. Keycloak's error messages were too unhelpful. The documentation, too nebulous. I lurked in their forums a bit, but didn't really want to use Slack as some sort of depended-upon service. Whatever the Keycloak error messages said, the eventual solutions usually ended up being so disconnected with the error message, that it dawned on me that the Error messages were effectively "Red Herrings" - served only to throw me off the trail.

Keycloak had a vibe to it that I'd describe as "Enterprise Bozak". It had the *look* of professionalism - making a solid effort to *appear* attractive to higher-up management types - but it didn't really *deliver* the helpfulness I was expecting, to actually overcome technical hurdles encountered. I've set Keycloak aside for now, and I'm trying out #Authelia instead, with an LLDAP backend. They seem easier to work with, as the error messages were good so far: had more of a technical helpfulness. After several hours of tinkering, I've set up my first LLDAP/Authelia users, including registering a passkey. I'll next see if I can integrate the Authelia SSO to #ForgeJo.

#infosec #OpenSource
Michael6d ago

I've installed Pocked ID recently and switched many of my self hosted services over to it, and I absolutely love it! It's pretty, it's fast, it works really well!

Pocket ID is an Open ID provider that you can use for self hosted Single Sign On.

https://pocket-id.org

I just wish more services supported it!

#PocketID #SSO #SelfHosting #OpenID #OIDC

Pocket ID | Simple OIDC Provider

A simple and easy-to-use OIDC provider that allows users to authenticate with their passkeys to your services.

Pocket ID
Felix MoessbauerJun 8

Are you using #oss #linux #entra #sso on a #chromium browser? Please give this MR a try which should fix SSO after hibernation (and reduces resource consumption).

https://github.com/siemens/linux-entra-sso/pull/138

Support manifest v3 service worker lifecycle by fmoessbauer · Pull Request #138 · siemens/linux-entra-sso

This is a major refactoring to properly support the manifest v3 service worker lifecycle, whereby the service worker is terminated after 30 seconds of inactivity. This saves energy (by not idling t...

GitHub
Show threadGehtsoJun 6

SSO-Kräfte fretten Stützpunkt der Baltischen Flotte in Kronstadt

https://www.ukrinform.de/rubric-ato/4131134-ssokrafte-fretten-stutzpunkt-der-baltischen-flotte-in-kronstadt.html

#Angriffskrieg #Europa #Ukraine #SSO #BaltischeFlotte #Stützpunkt #Kronstadt #Krieg #Russland #Drohnen #Kriegsverbrecher #Staatsterrorismus #Besatzer #Invasoren #Kampfverluste

SSO-Kräfte fretten Stützpunkt der Baltischen Flotte in Kronstadt

Die Drohen der ukrainischen Kräfte für Spezialoperationen (SSO) haben einen Stützpunkt der Baltischen Flotte der Russischen Föderation Kronstadt getroffen. — Ukrinform Nachrichten.

Укрінформ