OneLogin AD Connector Cryptographic Authentication Bypass Vulnerability Allowing User Impersonation

A cryptographic authentication bypass vulnerability has been identified in OneLogin AD Connector versions prior to 6.1.5. This vulnerability arises from the exposure of a tenant's SSO JWT signing key through the /api/adc/v4/configuration endpoint. An attacker with access to the signing key can create valid JWT tokens that impersonate users within the OneLogin tenant. These tokens facilitate authentication to the OneLogin SSO portal and all downstream applications federated via SAML or OIDC, granting unauthorized access across the victim's SaaS environment.

Impact

Exploitation of this vulnerability allows for cross-tenant account compromise by impersonating users and accessing their applications within the OneLogin environment.

Reproduction

The vulnerability can be reproduced by sending a request to the OneLogin API configuration endpoint with the directory token and other required parameters. This request will return the SSO IdP configuration, including the signing key. The exposed signing key can then be used to craft JWT tokens that impersonate users in the OneLogin tenant.

Remediation

Users are advised to upgrade to OneLogin AD Connector version 6.1.5 or later.