Service desk closure for Winter break 2023-2024
Posted on Tuesday, 19 December 2023
As usual, along with most areas of Jisc, the UK federation service desk will take an extended break over Christmas and New Year. The helpdesk will be unavailable from 13:00 on Thursday 21st December, 2023 and reopen at 10:00 on Tuesday 2nd January, 2024. If you submit a request to service@ukfederation.org.uk during these dates, your email will be logged, but we won't be able to respond until we return in January.
UK federation metadata will be re-published automatically over the holiday period so, whilst we will not make changes to UK federation-registered entities, there may be changes due to entities imported via eduGAIN.
read more... Edited by MatthewSlowe
Who's supplying the keys?
Posted on Tuesday, 24 October 2023
A recent incident affecting a very small number of entities in the UK federation has surfaced issues arising from IdPs and SPs using default cryptographic keys. The risk of using a default key is that someone may impersonate you. As a Service Provider (SP) they may obtain information from an Identity Provider (IdP), whilst hard to achieve, it is not impossible. The risk of an IdP using a default key is that someone may impersonate your IdP almost trivially.
read more... Edited by SteveGlover
Proposals for a Federated Credential Management API
Posted on Tuesday, 24 October 2023
User tracking for digital marketing can violate user privacy on the web. Now that browser vendors are looking to implement methods to stop user tracking, we must ensure these methods do not undermine other frameworks which protect privacy, such as Single Sign On through the UK federation, SAML and OpenID Connect. Jisc is monitoring these proposals from browser vendors and will keep UK federation members updated.
read more... Edited by SteveGlover
Improving assurance about federated identities
Posted on Tuesday, 24 October 2023
Some services available through the UK federation require more assurance about federated accounts than eduPersonScopedAffiliation by itself. Service owners are asking questions like "has the home organisation seen government-issued photo identification about the account holder?" or "is the identifier re-used when the person leaves?" If you are asking similar questions, you may find the REFEDS Assurance Framework (https://refeds.org/assurance) useful.
read more... Edited by SteveGlover
Shibboleth IdP version 5 has been released
Posted on Tuesday, 24 October 2023
In September 2023, the Shibboleth Project released version 5 of the Shibboleth IdP. The Shibboleth Project has also given notice that the planned end of life date for version 4 is 1 September 2024. Until then, they will be issuing security patches for version 4 if necessary, although there will be no further functional enhancements.
read more... Edited by SteveGlover
End of Support for Shibboleth v3 IdP
Posted on Tuesday, 24 October 2023
Shibboleth IdP version 3 reached its end of life at the end of 2020. The Shibboleth project is not providing any security releases for this version and there are no bugfix releases. Please ensure you are not using this version.
read more... Edited by SteveGlover
UK federation position paper about SAML subject identifiers
Posted on Tuesday, 24 October 2023
The UK federation recommends using eduPersonTargetedID as a pseudonymous persistent identifier when the service needs no personal information to function and you need to preserve privacy for end users.
read more... Edited by SteveGlover
Shibboleth Identity Provider + OpenSAML Security Advisory
Posted on Wednesday, 11 January 2023
Shibboleth users have been notified of a critical Remote Code Execution (RCE) vulnerability in some deployments of the Shibboleth Identity Provider (IdP). The formal announcement from the project is included below and was posted to announce@shibboleth.net [1] on Friday December 16 2022.
Ref: https://shibboleth.net/community/advisories/secadv_20221216.txt
read more... Edited by SaraHopkins
Shibboleth SP Open Redirect vulnerability affecting Logout Handler: TLP:CLEAR
Posted on Tuesday, 10 January 2023
The UK federation team are asking you to be aware of Open Redirect vulnerabilities.
We have been working with operators of Shibboleth SP software who, because of a default in some releases of the software, have an Open Redirect vulnerability affecting the SP’s Logout Handler. A significant number of these Service Providers (SPs) have now corrected their configuration. However, a number remain with the vulnerability. If we have previously contacted you, this is a reminder to test and fix your deployments.
Read more....
Edited by SaraHopkins