Shibboleth Identity Provider Security Advisory [18 September 2019]

Takeshi NISHIMURA takeshi at
Thu Sep 26 06:28:31 EDT 2019

Hi Scott,

Thanks for the announcement.
It will be more useful if you can add the severity in advisories.

> Severity: moderate

For others' information, here is Japanese translation:

Best regards,

On 2019/09/18 23:44, Cantor, Scott wrote:

> Shibboleth Identity Provider Security Advisory [18 September 2019]
> Improper exposure of pairwise identifiers to relying parties
> ============================================================
> The Shibboleth Identity Provider supports the concept of "pairwise"
> identifiers that vary in value based on the identity of the relying
> party for a request. These are chiefly supported as values of SAML
> 2.0 NameIDs with a Format of
> "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
> The software implements policy controls intended to prevent a relying
> party from requesting a pairwise identifier in the namespace of a
> party other than itself or one for which it is authorized.
> A SAML AuthnRequest with certain content, combined with non-default
> settings or SAML metadata explicitly resulting in a response including
> a "persistent" NameID, can bypass the intended controls and disclose
> a pairwise value meant for a different relying party.
> This is a privacy exposure that can allow unintended correlation of
> user activity.
> Affected Versions
> =================
> Versions of the Identity Provider between V3.0.0 and V3.4.4
> Recommendations
> ===============
> Upgrade to Identity Provider V3.4.5 or later.
> A mitigating control is to review the relying parties for which the
> Identity Provider will apriori return a NameID with the "persistent"
> Format. This generally involves reviewing or limiting any sources of
> metadata containing a corresponding <md:NameIDFormat> element, or
> configurations in the relying-party.xml file containing the
> nameIDFormatPrecedence setting.
> References
> ==========
> URL for this Security Advisory
> Credits
> =======
> Takeshi Nishimura, GakuNin / National Institute of Informatics

More information about the users mailing list