SimpleSAMLphp is vulnerable to Insufficiently Protected Credentials. The vulnerability is due to credentials being insecurely saved to the userβs session state when the ECP profile is disabled but supported in the Identity Providerβs metadata, which could result in an attacker with administrator privileges accessing the credentials.