AAF logo

Security Alerts - Security Advisory for Shibboleth Identity Providers [18 September 2019]

Security stuff

Security Advisory for Shibboleth Identity Providers [18 September 2019]

Shibboleth has identified a privacy exposure that can allow unintended links of user activity.

The Shibboleth Identity Provider supports the concept of "pairwise" identifiers that vary in value based on the identity of the relying party for a request. These are chiefly supported as values of SAML 2.0 NameIDs with a format of:

"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"


A SAML Authn Request with certain content, combined with non-default settings or SAML metadata explicitly resulting in a response including a "persistent" NameID, can bypass the intended controls and disclose pairwise value meant for a different relying party.


Rapid IdP subscribers

All IdPs hosted by AAF RapidIdP have already been upgraded and no further action is required.


Affected Versions

  • Versions of the Identity Provider between V3.0.0 and V3.4.4

Recommendations

  • Upgrade to Identity Provider V3.4.5 or later


On-Prem IdP Subscribers

View the official security advisory
https://shibboleth.net/community/advisories/secadv_20190918.txt

Thank you to the Shibboleth project for the research and code patches that underpin this advisory.


Login or Signup to post a comment

Newsletter Sign-up

To receive regular updates from AAF:
Add Me to the General List or Add Me to the Technical List or Add Me to the ORCID mailing list