Security Alerts - Security Advisory for Shibboleth Identity Providers [18 September 2019]
Shibboleth has identified a privacy exposure that can allow unintended links of user activity.
The Shibboleth Identity Provider supports the concept of "pairwise" identifiers that vary in value based on the identity of the relying party for a request. These are chiefly supported as values of SAML 2.0 NameIDs with a format of:
A SAML Authn Request with certain content, combined with non-default settings or SAML metadata explicitly resulting in a response including a "persistent" NameID, can bypass the intended controls and disclose pairwise value meant for a different relying party.
All IdPs hosted by AAF RapidIdP have already been upgraded and no further action is required.
On-Prem IdP Subscribers
Thank you to the Shibboleth project for the research and code patches that underpin this advisory.