-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Identity Provider Security Advisory [18 September 2019] Improper exposure of pairwise identifiers to relying parties ============================================================ The Shibboleth Identity Provider supports the concept of "pairwise" identifiers that vary in value based on the identity of the relying party for a request. These are chiefly supported as values of SAML 2.0 NameIDs with a Format of "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" The software implements policy controls intended to prevent a relying party from requesting a pairwise identifier in the namespace of a party other than itself or one for which it is authorized. A SAML AuthnRequest with certain content, combined with non-default settings or SAML metadata explicitly resulting in a response including a "persistent" NameID, can bypass the intended controls and disclose a pairwise value meant for a different relying party. This is a privacy exposure that can allow unintended correlation of user activity. Affected Versions ================= Versions of the Identity Provider between V3.0.0 and V3.4.4 Recommendations =============== Upgrade to Identity Provider V3.4.5 or later. A mitigating control is to review the relying parties for which the Identity Provider will apriori return a NameID with the "persistent" Format. This generally involves reviewing or limiting any sources of metadata containing a corresponding element, or configurations in the relying-party.xml file containing the nameIDFormatPrecedence setting. References ========== URL for this Security Advisory http://shibboleth.net/community/advisories/secadv_20190918.txt Credits ======= Takeshi Nishimura, GakuNin / National Institute of Informatics -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAl2BoPoACgkQN4uEVAIn eWL16xAAxDxnHopZcjvyzKIKpOWcB2Ed4VNlaPnH8muTY7sIStvz8KL0OVpv1BqA 5NjbLhd11m66P7nZZpXFD3jyqtkuxspFrYcjM5Nz3/WTxSHMW55aeJcN9hbGQCIX HtWKCrNaWY5BYqvNHHLGAopDlD26OysfQ0oF3WlrBadWqmk4Vco+1CIPdoTnKVTq BC4LmyPbx1wvXN1WlQpAyhlK2PPyAYzMkDYCRrXP2JGjYWo3GCZ6PbrAKxuQHbFi NI7bAr8QrCJw79iYaC4PK2wZ9zbZWK0vEY9CugXpAUHbH41y9ZhXf3K1zxnRc6MB pffuiWjUpGDfAKt7/hpS6JYSNo6TDyQA+9TqP/XcIB8TeGyAt68Ql+jTGMlQFFhD lVI14YTcwal+mO4CXwCzKyykR5az6TY3newPfgYtOVYCYHd/o7zZ13BO4LMqrfn1 rW0DwbP2mkKwEOKCB333mvUazx4w4emlVFdGxDMM5zozWz1CT0sdzq7WxmOlzlw/ Gv+rwNHnQUS+ZJ9YhleJHnIFPOk6vHyD5n6BJQmcSVVp+tJbuJhjG7ttEN1DeGbr NxGle+JF+hs4kme7tMn0C/ed2iLgE+pERckJHH5q2bdTocK4Bm/SpgNfCamJzeUT DmTg5DHaVxVSE8uwHisW+mgihAgJIKFtwrumFYEr6Gktc4sfuqE= =lyga -----END PGP SIGNATURE-----