The AAF has received important security advice from the Shibboleth project, which we want to share with our subscribers. This advice is in relation to the security of the federation and the ROBOT vulnerability (https://robotattack.org) identified late last year.

TLS keys impacted by the ROBOT vulnerability could:

• Allow an attacker to forge SAML responses and impersonate users from an Identity Provider.
  
• Allow an attacker to forge SAML requests resulting in disclosure of user data by an Identity Provider. 

This issue is independent of the deployed Identity Provider or Service Provider version, as such there is no specific patch available to remedy this issue. Administrators need to assess their requirements and tune their environments in line with this advice.

Recommendations

1. Administrators should read the linked security advisory to determine how it applies to their environment.
   
2.  Be aware of which keys you include in the metadata you advertise for AAF registered Identity Providers or Service Providers and whether they are used for TLS. Remove any unnecessary keys promptly.
   
3.  Ensure any unused or unsupported SAML features (e.g. Artifact support) are omitted from the metadata you advertise.
   
4.  Ensure that your TLS software is patched, well-maintained, and carefully configured in accordance with modern best practice (which is itself a moving target needing periodic review).
   
5. AAF Subscribers who are not running the latest versions of both the Identity Provider and Service Provider software should put in place plans to undertake upgrades as soon as possible. 

Official security advisory
http://shibboleth.net/community/advisories/secadv_20180123.txt

Credits
Thank you to the Shibboleth project and Internet2 for the research and advice which underpins this advisory.