Shibboleth has identified a privacy exposure that can allow unintended links of user activity.

The Shibboleth Identity Provider supports the concept of "pairwise" identifiers that vary in value based on the identity of the relying party for a request. These are chiefly supported as values of SAML 2.0 NameIDs with a format of:

"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

A SAML Authn Request with certain content, combined with non-default settings or SAML metadata explicitly resulting in a response including a "persistent" NameID, can bypass the intended controls and disclose pairwise value meant for a different relying party.

Rapid IdP subscribers

All IdPs hosted by AAF RapidIdP have already been upgraded and no further action is required.

Affected Versions

• Versions of the Identity Provider between V3.0.0 and V3.4.4

Recommendations

• Upgrade to Identity Provider V3.4.5 or later

On-Prem IdP Subscribers

• A new version of the AAF Installer is available to complete this upgrade go to https://ausaccessfed.github.io/shibboleth-idp-installer/

View the official security advisory
https://shibboleth.net/community/advisories/secadv_20190918.txt

Thank you to the Shibboleth project for the research and code patches that underpin this advisory.