Shibboleth Identity Provider Security Advisory [18 September 2019]
takeshi at nii.ac.jp
Thu Sep 26 06:28:31 EDT 2019
Thanks for the announcement.
It will be more useful if you can add the severity in advisories.
> Severity: moderate
For others' information, here is Japanese translation:
On 2019/09/18 23:44, Cantor, Scott wrote:
> Shibboleth Identity Provider Security Advisory [18 September 2019]
> Improper exposure of pairwise identifiers to relying parties
> The Shibboleth Identity Provider supports the concept of "pairwise"
> identifiers that vary in value based on the identity of the relying
> party for a request. These are chiefly supported as values of SAML
> 2.0 NameIDs with a Format of
> The software implements policy controls intended to prevent a relying
> party from requesting a pairwise identifier in the namespace of a
> party other than itself or one for which it is authorized.
> A SAML AuthnRequest with certain content, combined with non-default
> settings or SAML metadata explicitly resulting in a response including
> a "persistent" NameID, can bypass the intended controls and disclose
> a pairwise value meant for a different relying party.
> This is a privacy exposure that can allow unintended correlation of
> user activity.
> Affected Versions
> Versions of the Identity Provider between V3.0.0 and V3.4.4
> Upgrade to Identity Provider V3.4.5 or later.
> A mitigating control is to review the relying parties for which the
> Identity Provider will apriori return a NameID with the "persistent"
> Format. This generally involves reviewing or limiting any sources of
> metadata containing a corresponding <md:NameIDFormat> element, or
> configurations in the relying-party.xml file containing the
> nameIDFormatPrecedence setting.
> URL for this Security Advisory
> Takeshi Nishimura, GakuNin / National Institute of Informatics
More information about the users