To receive regular updates from AAF:
Add Me to the General List or Add Me to the Technical List or Add Me to the ORCID mailing list
Ask for Help
ABN 13 155 355 685
Trade Mark: 169 1608 ®
Shibboleth has identified a privacy exposure that can allow unintended links of user activity.
The Shibboleth Identity Provider supports the concept of "pairwise" identifiers that vary in value based on the identity of the relying party for a request. These are chiefly supported as values of SAML 2.0 NameIDs with a format of:
A SAML Authn Request with certain content, combined with non-default settings or SAML metadata explicitly resulting in a response including a "persistent" NameID, can bypass the intended controls and disclose pairwise value meant for a different relying party.
Rapid IdP subscribers
All IdPs hosted by AAF RapidIdP have already been upgraded and no further action is required.
On-Prem IdP Subscribers
View the official security advisory
Thank you to the Shibboleth project for the research and code patches that underpin this advisory.