What is the issue?
OneLogin has reported that a threat actor had obtained access to the OneLogin US operating region. The threat actor was able to access OneLogin database tables that contain information about OneLogin users, apps, and various types of keys.
For more details refer to:
https://www.onelogin.com/blog/may-31-2017-security-incident
What components of Syncplicity are affected?
The issue does not directly affect the Syncplicity service and we have no indications of compromise of any Syncplicity systems.
Customers using OneLogin with Syncplicity in the following cases may be impacted:
- Customers using OneLogin Identity Provider (IDP) for Single-Sign-On (SSO) Authentication
- Customers using OneLogin with Active Directory
- Customers using OneLogin Account Provisioning with Syncplicity
What steps do customers need to take to address the vulnerability?
Please review the instructions provided by OneLogin and determine the applicability to your situation. If you have not already performed the recommended remediation, apply the instructions below if they apply to your configuration.
For Customers using OneLogin Identity Provider (IDP) for Single-Sign-On (SSO) Authentication
Per OneLogin guidance, you must generate a new OneLogin IDP Certificate and upload the new certificate to your Syncplicity Account
- As a OneLogin Admin, create a new certificate on the OneLogin site, for information about creating new OneLogin certificates see: Onelogin Help - Creating and Applying Certificates
- When you create a new certificate ensure you select the Key Length as 2048 and the Signature as SHA256
- Assign the new certificate to the Syncplicity application within OneLogin by going to the SSO tab under the Syncplicity application settings - also ensure that the SAML Signature Algorithm is set to SHA-256
- Download the new certificate (.pem file)
- Log-in to your Syncplicity Account and go to the Admin Page
- Under Settings > Custom domain and single sign-on
- Click on 'Choose File' and select the new .pem file you downloaded from OneLogin
- Click Save Changes
For more details on Configuring Syncplicity Authentication Settings with OneLogin see:
https://syncplicity.zendesk.com/hc/en-us/articles/202392804-Configuring-single-sign-on-SSO-
https://www.onelogin.com/partners/isv-partners/syncplicity
For Syncplicity Customers using OneLogin with Active Directory
If you are using OneLogin's Active Director Connector, per OneLogin guidance, you must generate and apply new directory tokens for Active Directory Connectors and LDAP Directory Connectors.
See https://support.onelogin.com/hc/en-us/articles/115002695483-2017-05-31-OneLogin-Security-Incident-Action-Required for instructions.
For Syncplicity Customers using OneLogin Account Provisioning with Syncplicity
If you are using OneLogin for Syncplicity user account and group membership provisioning you should regenerate the Application Token and use this new token to update the API Connection Access Token within OneLogin by going to the Configuration tab under the Syncplicity application settings.
For more information see:
https://support.onelogin.com/hc/en-us/articles/204124404-Provisioning-for-Syncplicity
https://www.youtube.com/watch?v=3f04ebfDHIo&index=17&list=PLRPIpgyNOS6meLkHe1jDZ0v6pvz_DnZLq
Reference other guidance per OneLogin as it may apply to your situation, such as:
Force directory password reset if Password Mapping is Enabled in OneLogin account settings, see https://support.onelogin.com/hc/en-us/articles/115002695483-2017-05-31-OneLogin-Security-Incident-Action-Required
If you are using 2-Factor Authentication using OneLogin OTP, re-register your OneLogin OTP Apps
Syncplicity recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Syncplicity disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Syncplicity or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Syncplicity or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.