Jaimeperez

**Name of the Vulnerable Software and Affected Versions** SimpleSAMLphp versions 1.7.0 through 1.14.10 **Description** The issue arises when a SimpleSAMLphp Identity Provider is misconfigured, leading to incorrect persistent NameID generation. This can cause different users to receive the same identifier, potentially allowing attackers to obtain sensitive information or gain unauthorized access. The problem occurs when the `SimpleSAML Auth ProcessingChain` class attempts to keep a unique user identifier in the state array, but fails due to missing or empty attributes. As a result, all users connecting to a given service provider may receive the same `NameID`, which can be used to identify users across sessions. Some service providers have already observed cases where this issue has led to security problems. **Recommendations** Upgrade to the latest version. Configure a `saml:PersistentNameID` authentication processing filter according to your needs, ensuring the attribute used as the source for the `NameID` is present, unique per user, and does not change over time.