Removal of port 8443 for IdPs - The Change

The AAF wishes to advise our subscribers of a deprecation in the recommended configuration for Identity Providers operating within the AAF and/or within eduGAIN. This change will assist in ensuring the longer term security of your Identity Provider.

The Change

Supporting back-channel connections to your IdP usually over TCP port 8443, from SAML service providers is no longer recommended.

Service providers that implemented the older SAML v1.0 and V1.1 standards required IdPs to provide a back-channel connection for the retrieval of user attributes. These older versions of the SAML protocol have been superseded with the SAML v.2.0 standard.

We believe there no longer exists any service providers of significance that only support SAML 1.0 or 1.1. If they do exist, they present a security risk the Identity providers they use as the software they are running is well and truly end-of-life.

To remove the potential risk from these older service providers and reduce the potential attack vector of your IdP, the AAF recommends that all IdP’s turn off access to your IdP via port 8443.

Instructions for turning off this access are included on our support pages - Actions for AAF IdP administrators.

Login or Signup to post a comment

Newsletter Sign-up

To receive regular updates from AAF:
Add Me to the General List or Add Me to the Technical List or Add Me to the ORCID mailing list