SAML Shield: open source protection for SAML CVEs

We are excited to launch SAML Shield, a protocol-level validator that catches malicious SAML responses before they reach your app. Secure your stack from SAML vulnerabilities and assertion exploits with SAML Shield. Open source, protocol-aware, and production-ready.

SAML Shield lints and inspects every incoming SAML response using a hardened ruleset designed to detect CVEs such as XML signature wrapping, replay attacks, entity injection, assertion mismatches, and dozens more protocol-level threats. We update the rules automatically within 24 hours of a CVE dropping, giving you proactive protection — even when your SAML provider or vendor hasn't patched yet.

You can integrate SAML Shield with any of the following methods:

• Managed: validate SAML responses against a hardened, protocol-aware backend with automatic updates to threat protections.

• Proxy: run SAML Shield as a proxy for applications you don’t control, such as 3rd-party platforms or multi-tenant environments.

• Open-source Node.js library: validate SAML responses locally, directly within your authentication flow.

Already using Stytch for auth? All SAML Shield protections are in, and have been in the product already, keeping you protected against SAML CVEs!

SAML Shield doesn’t replace your identity provider or SAML toolkit, but rather wraps around it. Use it with any IdP, any app, any environment. Enforce validation in production, or start in log-only mode to backtest risky assertions without disruption. Want to learn more? Check out our announcement blog post and visit samlshield.com today.