Part of Akamai's incident management process for vulnerabilities in third party software involves verifying potential impact in other systems using the same or similar libraries. While following that process when addressing the SAML impersonation vulnerability,  CVE-2021-28091 , which impacted Akamai's Enterprise Application Access (EAA) platform, incident responders assessed the impact on other Akamai software including the code maintained by Inverse, who Akamai recently acquired. \r\n During the impact review of Inverse, we determined that the  SOGo  and  PacketFence  packages use the vulnerable  Lasso  library and were impacted. SOGo and PacketFence are both open source packages which offer paid support contracts. Both packages use the Lasso library to integrate with SAML Identity Providers (IdPs), and thus were vulnerable to  CVE-2021-28091  when SAML was used to authenticate users.…