Inside GitHub: How we hardened our SAML implementation

GitHub has revisited its approach to integrating SAML (Security Assertion Markup Language) for enterprise authentication, originally introduced in 2014, due to its security complexities and vulnerabilities. Initially using a proprietary implementation, GitHub decided to transition to the community-supported ruby-saml library, which is actively maintained and offers improved security responses. To ensure a smooth transition, GitHub conducted rigorous testing, including A/B testing with their open-source tool Scientist, and collaborated with security researchers to address identified vulnerabilities. They also refined their SAML schema to minimize attack surfaces and implemented a dual-parsing strategy that uses both the new and old libraries for enhanced security, thus reducing the risk of new vulnerabilities slipping through. This approach not only improves GitHub's SAML implementation but also serves as a blueprint for managing complex and risky codebases.