- Hi XXXXX,
- As part of a security update, we recently made a change in the way the HMAC (hash) is generated in simple SSO (includes AD SSO).
- As per the change the order in which the attributes( name, secret key, email, timestamp ) needs to be passed for generating the HMAC has been modified. Earlier it was (name, email, secret key and timestamp).
- The reason for this change is to make single sign on more secure. The earlier method allows for a vulnerability which is being made public on Friday. We have checked all accounts and we assure you that no accounts has been compromised so far.
- It was mentioned that we will be stopping support for the earlier method by Thursday. Having said this we can still allow you to continue with the existing format for the SSO but please be informed that it is better to move to the newer hash version and Freshdesk will not be held liable in case of any hacks.
- This will be a minor change to your existing settings and we’ll be more than happy to do that for you. In case you are using AD SSO we request you to send us the script you are using so that we can make the necessary changes to it. In case of wordpress we request you to update to the latest plugin (version 1.8.4) to address this issue. If you are using any other methods we request you to get in touch with support for assistance.
- Do let us know once the changes has been made in the SSO configurations so that we can make the changes to secure your account. Please note that your account will continue to be accessible using the existing SSO method until we get further confirmation from you.
RAW Paste Data