@jkakavas identitifed that GitHub Enterprise did not require all assertion elements within an SAML response to be signed. By exploiting a discrepency between what signature within a SAML response was validated and what assertion element was used from the SAML response for authentication, it was possible to use a previously signed SAML response to authenticate as an arbitrary user.

We fixed this issue by performing much stricter validation of SAML signatures, ensuring all assertion element within a SAML response have been properly signed. This issue has been fixed in GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, and 2.4.23.