2025's ruby-saml parser-differential bugs let attackers log in as any user. Here is how we cut an app over to Entra without a user-visible break.
Draft outline · Migration craft lensIn 2025 the GitHub Security Lab and PortSwigger disclosed authentication-bypass bugs in ruby-saml (CVE-2025-25291 and CVE-2025-25292) caused by parser differentials: the validator and the application see different XML, so a forged assertion logs you in as anyone. Old and hand-rolled SAML stacks are fragile; moving to a maintained Entra integration removes a whole bug class.
Original research explaining the parser-differential bypass in clear detail.
Independent research lab corroborating the SAML signature and canonicalisation weaknesses.
Framed as migration craft, with the CVE as the reason rather than the whole story. It shows the App Mod discovery-to-build model in action: we do the risky cutover, at a fixed price, and remove a class of failure the agency could not see.