While using the Vapp IGA 14.5 GA, integrated IdentityPortal(SP) with PingFederate(IdP) using SAML integration.

On Vulnerability Assessment, found a CRITICAL issue on this integration, where SAML Signature Bypass and SAML Response can be modify as a different user.

 Vapp IGA 14.5 GA

In Identity Portal, OpenSAML v2 is used, and it is already EOL, hence suspect this is the root cause of why the SAML signature was able to bypass.  

Even though the SAML assertion is signed, Identity Portal’s OpenSAML v2 implementation does not strictly bind signature validation to identity extraction, allowing assertion tampering and user impersonation.

A Hotfix  HF_IP-14.5.0-20260220140226-SAML_ENCRYPTION_FIX.tgz.gpg is available to address this issue, and initial testing has enabled encryption of SAML Assertion with PingFed

Ref# DE660470