Application Modernisation · Deep dive 01

Sign in as anyone: why we move apps off hand-rolled SAML

2025's ruby-saml parser-differential bugs let attackers log in as any user. Here is how we cut an app over to Entra without a user-visible break.

Draft outline · Migration craft lens
The anchor

In 2025 the GitHub Security Lab and PortSwigger disclosed authentication-bypass bugs in ruby-saml (CVE-2025-25291 and CVE-2025-25292) caused by parser differentials: the validator and the application see different XML, so a forged assertion logs you in as anyone. Old and hand-rolled SAML stacks are fragile; moving to a maintained Entra integration removes a whole bug class.

Sources we build on
Primary

Original research explaining the parser-differential bypass in clear detail.

Primary

Independent research lab corroborating the SAML signature and canonicalisation weaknesses.

Article outline
  1. Why SAML is fragile. Signature wrapping, canonicalisation and parser differentials.
  2. The 2025 bypass in plain terms. Validator and app disagree, forged assertion wins.
  3. The target app. A legacy app that only speaks SAML, still in daily use.
  4. The cutover to Entra. Parallel trust, cohort migration, no user-visible break.
  5. What you retire. The hand-rolled library and its bug class.
How it aligns to what we do

Framed as migration craft, with the CVE as the reason rather than the whole story. It shows the App Mod discovery-to-build model in action: we do the risky cutover, at a fixed price, and remove a class of failure the agency could not see.

Points to hit
Control it ratifies
ISM / E8 ISM authentication and secure-software controls; E8 Patch applications for the library, with the honest note that re-homing to Entra is the durable fix.