Summary

Digi On-Prem Manager had two SSO account-mapping issues.

• Value-specific SSO access mappings could match on the claim key without requiring the configured claim value.
• A rejected SSO sign-in against a local account could record an external identity on that account.

The first issue could grant configured access to an SSO user who had the mapped claim key but not the required value. The second issue could affect later administrative conversion of a matching local account to SSO.

Preconditions

This advisory applies only when SSO is enabled. The access-mapping issue requires at least one value-specific SSO mapping such as role[admin]. The identity-binding issue requires an existing local account and later account conversion to SSO.

Solution

Update to Digi On-Prem Manager v26.06 or later.

Mitigations

Until the update is applied:

• Avoid value-specific SSO mappings for privileged groups unless the identity provider guarantees those claim keys.
• Verify stored SSO identities before converting local accounts to SSO.

Affected Versions

Digi On-Prem Manager versions before v26.06 with SSO enabled are affected.