Home |
Announcements |
Knowledge Base |
Forums |
Ask for Help |
ABN 13 155 355 685 Trade Mark: 169 1608 ® |
Privacy Policy | Privacy Collection Notice |
Dalia Abraham
Shibboleth has identified a privacy exposure that can allow unintended links of user activity.
The Shibboleth Identity Provider supports the concept of "pairwise" identifiers that vary in value based on the identity of the relying party for a request. These are chiefly supported as values of SAML 2.0 NameIDs with a format of:
"urn:oasis:names:tc:SAML:2.0: nameid-format:persistent"
A SAML Authn Request with certain content, combined with non-default settings or SAML metadata explicitly resulting in a response including a "persistent" NameID, can bypass the intended controls and disclose pairwise value meant for a different relying party.
Rapid IdP subscribers
All IdPs hosted by AAF RapidIdP have already been upgraded and no further action is required.
Affected Versions
Recommendations
On-Prem IdP Subscribers
View the official security advisory community/advisories/secadv_ 20190918.txt
https://shibboleth.net/
Thank you to the Shibboleth project for the research and code patches that underpin this advisory.