Identified - Institutional customers using custom SAML resources in OpenAthens should be aware of security vulnerabilities in Shibboleth Service Provider software and SimpleSAML Service Provider software which might affect the vendors they are connecting with.
What you need to do: We suggest institutional customers using custom SAML resources in OpenAthens send these links to their vendors and ask them to confirm their Service Provider software is either unaffected or that the vulnerability has been addressed. To find the resources, please go into the admin area and look at the custom tab within the resource catalogue, you only need to concern yourself with the ones that say SAML.
You can find more information here:
https://shibboleth.net/pipermail/announce/2025-March/000337.html
https://simplesamlphp.org/security/202501-01
For the avoidance of doubt: these vulnerabilities do NOT affect the OpenAthens service. Please direct all queries to the vendors for which your institution is using custom SAML resources in OpenAthens.
Mar 18, 2025 - 15:18 GMT
What you need to do: We suggest institutional customers using custom SAML resources in OpenAthens send these links to their vendors and ask them to confirm their Service Provider software is either unaffected or that the vulnerability has been addressed. To find the resources, please go into the admin area and look at the custom tab within the resource catalogue, you only need to concern yourself with the ones that say SAML.
You can find more information here:
https://shibboleth.net/pipermail/announce/2025-March/000337.html
https://simplesamlphp.org/security/202501-01
For the avoidance of doubt: these vulnerabilities do NOT affect the OpenAthens service. Please direct all queries to the vendors for which your institution is using custom SAML resources in OpenAthens.
Mar 18, 2025 - 15:18 GMT
Authentication Point
?
Operational
Authentication API
?
Operational
Authentication broker
?
Operational
Managed Proxy service
?
Operational
OpenAthens Federation
?
Operational
OpenAthens Keystone
?
Operational
Redirector
?
Operational
Wayfinder
?
Operational
MyAthens user portal
?
Operational
Self-registration service
?
Operational
Account Administration website
?
Operational
Administration API
?
Operational
OpenAthens Reporting
?
Operational
SP Dashboard
?
Operational
Service Desk portal
?
Operational
Documentation website
?
Operational
Email services
?
Operational
Service Desk Telephony
Operational
Operational
Degraded Performance
Partial Outage
Major Outage
Maintenance