Product logo
DocsBlogPricing
← Back

Turbot Guardrails Enterprise (TE) v5.42.5 - SAML Security Enhancements and Package Update (v4.0.4).

Nov 08, 2023
TE

What's new?

  • Server

    • Updated: Updated the package passport-saml to @node-saml/passport-saml: 4.0.4
    • Updated: The directory API to support Require Signed Authentication Response and Strict Audience Validation.

  • UI:

    • Added: Introduced UI options for Require Signed Authentication Response and Strict Audience Validation for enhanced security in SAML authentication.

Enhanced Security and Compatibility Guide for SAML Authentication

Description

The recent package change for @node-saml/passport-saml has made it mandatory to sign the audience response and perform audience validation. To maintain backward compatibility, we have introduced two new options in the UI:

  1. Require Signed Authentication Response
  2. Strict Audience Validation

To make it backward compatible, both of these options are initially set to Disabled by default.

Important Note: This change ensures that the audience response is signed and audience validation is enforced. These checks were not available in earlier versions of the package.

Recommendations

We recommend customers enable both of these properties as they add an additional layer of security. However, it's important to be aware that enabling these properties might potentially break SAML login functionality. Therefore, certain steps need to be taken before enabling them.

Here are specific recommendations for popular Identity Providers (IDPs):

Okta

  • Strict Audience Validation: If enabled, ensure that the "Issuer ID" matches the "Audience Restriction."

OneLogin

  • Require Signed Authentication Response: This feature should be disabled in OneLogin, as OneLogin does not support it.
  • Strict Audience Validation: If enabled, ensure that the "Issuer ID" matches the "Audience".

Azure Entra ID (Previously Known as Azure AD)

  • Require Signed Authentication Response: If enabled, make sure you choose the Signing option to be "SIGN SAML response and assertion". The Signing option is available on the Signing Certificate page of Entra ID

Please follow these recommendations carefully to make sure you're able to transition smoothly to the updated SAML package.