As I reported to firstname.lastname@example.org, here's the authentication bypass vulnerability report. I've left some details out in this report but you're welcome to reach out to me with any questions.
Here's a more detailed overview:
It is possible to POST a custom SAML response to https://rpm.newrelic.com/accounts/$account_id/sso/saml/finalize and bypass authentication. When a SAML response is built by an identity provider, like Okta, it should be signed with an X.509 certificate. We should be confirming that the signed SAML response is valid but it appears that we’re overlooking that. This is described here: https://developers.onelogin.com/saml
Requirements to exploit this vulnerability: An account ID (for an SSO-enabled account) and user email are required.
I wrote a simple proof of concept to help illustrate this problem. The file,
nr-saml-poc.html was emailed to email@example.com in my initial report. You can open it in your browser and provide an account ID and user email and then POST the base64 encoded payload to New Relic. This should result in successful authentication.
I believe that if we ensure that the signed response is valid, it should be sufficient to resolve this issue. Unfortunately I have not had a lot of time to explore this issue and I think it would be good to review this in depth to make sure I have not missed any other important details.