2014 AAF boost 2014 report for AAF EXAMPLE ORGANISATION This report focuses on the following 4 key areas to help boost your connection to the federation: Assurance; Awareness of federation tools; Your Identity Provider (IdP) deployment; and Security.
AAF boost 2014 Hi AAF boost Representative! Thank you for taking part in the AAF boost Program. Attached is your customised AAF boost Report for 2014. Your participation in the Program helps us to better understand the identity management practices in the sector. It also enables us to provide you with specific advice on how your connection to the AAF is performing. Should you require any help in interpreting the information in this report, please don t hesitate to contact me directly. Kind Regards, Terry Smith boost Program Manager Australian Access Federation
Table of Contents 1. Overview... 4 1 Assurance... 7 2 Awareness of Federation tools... 10 3 IdP Deployment... 12 3.1 Technical... 12 3.2 User Interface... 14 3.2.1 Corporate Branding and Information... 15 3.2.2 Federation Information... 17 3.3 Security... 18 3.3.1 SSL and Certificates... 18 3.3.2 Web Server and Server configuration... 21
1. Overview The AAF boost program is designed to undertake a process of data collection, analysis, profiling and reporting. The program provides you with key information to review within your organisation to help you with best practice federated identity management. Figure 1 below provides a high level overview of the stages and who is involved at each stage of the boost Program. Subscriber Identify and coordinate improvement activities AAF Facilitates regular surveys and data collection based on sector priorities Subscriber Complete survey responses and data is collected by the AAF Subscriber Review organisation activity and direction AAF Provide technical assistance AAF Analyse results and generate sector baselines AAF Communicate and publish results AAF Profile individual organisations against baselines Figure 1: The AAF boost Program
In this boost we have used a number of surveys and data collection methods to generate this report. Table 1 below outlines the datasources, their methods of collection and if this information has been provided from your organisation for this boost. Data source AAF IdP Enhancement Program #1 Identity Management AAF boost Worksheet AAF boost survey IdP deployment AAF logs Data provided or available boost focus Table 1: boost Data Sources and availability of information Survey on general Identity management practices and activities undertaken by your organisation. Verify contact information and IdP software versions within your organisation. Targeted survey covering higher levels of identity assurance, awareness of AAF tools and technical deployment of the Identity Provider (IdP) in your organisation. AAF Review of your IdP deployment with a focus on usability, branding and security aspects of the deployed IdP. AAF Review of federation logs identifying if various configuration options have been deployed and how they have been deployed. Collection method Survey Worksheet Survey Analysis and review Analysis and review This report is a result of the analysis of the data that was available for your organisation. It is divided into the following four sections: Assurance; Awareness of federation tools; IdP deployment; and Security.
Each section has an overview and a table of boost items which your organisation and your Identity provider (IdP) has been reviewed against. Each boost item is comprised of a question that has been asked against your organisation or your identity providers, a status indicator to highlight where your organisation currently is and a brief description of the item with a short recommendation / action that you should consider implementing. There is also a web link for more information in most sections. Table 2 below provides a dashboard of your boost results. Summary Count boost Summary 35 Good job, well done - no action is required. 11 Needs reviewing - action is recommended. 1 Action is required. Immediate action is required. No response was provided in the survey. Table 2: Your boost Summary
1 Assurance AAF boost This boost is targeting the Identity Assurance concept. As the federation continues to grow, new services that are confidentiality restrained or high cost will begin to appear in the federation. The nature of these services will require increased rigor around the identity proof of the users entitled to use them. This section investigates the ability of organisations to apply this rigor to the identity proof process and provides details about the AAF Level of Identity Assurance Register (LoIAR) service that provides solution to assist your organisation in speeding the introduction of higher levels of identity assurance to those end-users/services that require it. The AAF Assurance framework identifies two separate concepts for assurance; Identity Assurance: The strength of the processes used to identify the user at the time of user registration. Token and Credential Management Assurance: The strength of the token used and the strength of the processes used to manage tokens and credentials. This boost is targeting the Identity Assurance concept. boost Item Status Description boost Is your organisation aware of the AAF Action is recommended. Identity Assurance Framework? The AAF has developed an Identity Assurance Framework that is intended to allow high cost or security constrained services to participate in the federation by reducing the risk of unauthorised access through higher levels of identity assurance. The framework is based on the NIST SP 800-63- 2 standards. You have a basic awareness of the framework, its requirements and benefits. As the federation moves forward and your researchers start to request access to services that require the higher level of identity assurance you will need to be able to respond to such requests. We recommend that you start now and by reviewing framework information available on the AAF web site. Do you understand the requirements of operating at Level of Assurance 1 (LoA1)? The AAF Identity Assurance Framework provides two levels of assurance, the second builds upon the first so a knowledge and understanding of Level 1 is essential prior to providing level 2. Having a solid understanding of level 1 is the stepping stone to meeting level 2 of Assurance, having implemented or are planning to implement you are well on the way to future proofing access to new and exciting services for your end-users. Page 7 of 23
Do you understand the requirements of moving the Level of Assurance 2 (LoA2) Level 2 of the Identity Assurance Framework is where we want all of the federation identity providers to be. This does not mean that all of the federation end-users need to be asserted with a Level of Assurance 2,, but if they do require it to access high cost or security constrained services then the process and procedures will be in place to make it possible for them to do so. Excellent, your organisation is ready or almost ready to start issuing level 2 identity assurance to users who require it. The final step is submitting the extended compliance form (see below). When this occurs you can start issuing level 2 identity assurance to your users. Are you aware of the additional compliance requirements for issuing higher levels of assurance (LoA2)? Are you aware of the AAF LoIAR system for issuing higher levels of identity assurance? Before your organisation can begin issuing level 2 identity assurance to your users you must adapt your processes to meet the requirements of level 2 and document them into a practice statement. The next step is to submit the extended compliance form with a copy of your practice statement. The AAF Level of Identity Assurance Registration system (LoIAR) has been developed to allow organisations to register users within the federation with a specific level of identity assurance. This allows your organisations to quickly provide your users with a higher level of identity assurance without needing to modify your identity management processes or systems. The only requirement is the ability to record the identify information presented by the user when requesting a LoA2 based on the AAF Identity Action is recommended. You are aware of the additional compliance requirements for issuing higher levels of assurance but have no requirements to submit yet. The extended compliance is your organisations declaration that you are performing identity proofing of your users as required by the level to which you are assuring them. The compliance statement must be submitted annually and you must also provide a copy of your practice statement. Even though you have no requirement to submit a compliance statement now a number of services have indicated their future requirement for Level 2 Identity assurance. To be prepared you should review the compliance form and review your practice statement. Action is recommended. The LoIAR system allows you assert higher levels of identity assurance for your users without needing to change your current identity management systems, used as a gap filler until your systems are ready. If you are planning to use the LoIAR system as part of your Identity Assurance processes and practices you must note this in your practice statement. The LoIAR system only allows you to assert the LoA values for a user it does not record the information Page 8 of 23
Are you aware of the processes involved in identity proofing? proofing processes. Prior to being issued a Level 2 of Identity Assurance your users must first have had their identity verified. This can occur either in-person or as separate physical encounters or electronic transactions. To have their identity proofed the user must demonstrated possession of a valid current primary government picture ID that contains their picture and either their address of record or their nationality of record - in other words, either a driver's license or a passport. Records of the documents ID number, the users address and date of birth must be kept. The process your organisation users for identity proofing must be recorded in your practice statement. you used for identity proofing, you must maintain this information locally. To be prepared you should spend some time reviewing the LoIAR system as an option. Action is recommended. You are aware of the processes involved in identity proofing as outlined at: http://aaf.edu.au/technical/levels-of-assurance/ but have no current plans to implement. You should consider starting to plan, implement and document your identity proofing processes to future proof access to exciting services for your end-users. Page 9 of 23
2 Awareness of Federation tools AAF boost The AAF provides its Subscribers with an array of tools and services to assist with the management of your connection to the federation. This section investigates your organisations awareness of these tools and provides information on the function and operation of these tool to which you may not be aware that may improve how you deliver the federation to users within your organisation. boost Item Status Description boost Rate your awareness of AAF Federation Registry tool. The AAF Federation Registry (FR) is the engine room of the federation. Its primary purpose is the management and You are a regular user of the Federation Registry. generation of the federation metadata that is used by all Identity providers and Service providers in the federation. Rate your awareness of AAF Virtual Home service. The AAF Virtual home (VH) is a service that the AAF operates which allows your organisation to create sponsored user accounts for your external collaborators and visitors to the federation. All organisations are entitled to use the Virtual home and are responsible for the users they add to the Virtual home as if they are their own users. Action is recommended. You are familiar with Virtual Home but have not used it. See the more information link to find out about the advanced functions of Virtual Home and how and how you can enable your external users/collaborators. Rate your awareness of AAF Distribution Service. The AAF Distribution services it a highly available fault tolerant service that is used to distribute the federation metadata that is used by all Identity providers and service providers in the federation. It also distributes the attribute release rules specific to each Identity provider. Your IdP should be configured to reload these files regularly every 2 to three hours to ensure it have the latest federation technical information available. You understand that the distribution service is part of a high availability IdP deployment providing a fault tolerant solution to the distribution of essential files used by federation components such as your IdP. Page 10 of 23
Rate your awareness of the AAF Federation Status (status.aaf.edu.au) service. The AAF Federation status is a monitoring dashboard that continually watches and reports on the federation health as a whole. It provides useful information to institution help desks and support staff within your organisation. Action is recommended. You have used Federation status occasionally and aware of the basic features and benefits of this monitoring system. You should increase your knowledge of this service so you can promote its use within your support teams. Rate awareness of AAF Attribute Validator tool The attribute validator is a tool that allows your end-users and help desk staff to check that attributes are being correctly released. The tool allows users to generate a.pdf report to help with the diagnosis of any attribute release issues causing access problems to AAF connected services. No action is required, although we suggest you continue to promote the use of the Attribute Validator within your support teams. Page 11 of 23
3 IdP Deployment AAF boost This boost is specifically targeting organisations that operate Identity providers identifying areas for improvement that will assist service providers to have a higher level of trust in the information that is asserted. This section is divided into a number of sub-sections that review a range of different aspects of the Identity provider. 3.1 Technical The technical aspect investigates the configuration and technical deployment of the Identity provider to determine if best practice service management activities are evident within your organisation. boost Item Status Description boost Are automated attribute filters in use, how is attribute filtering managed? Services within the federation rely of attributes for operate correctly. Each service registers the attributes it needs in the federation registry. Each IdP provides users attributes to services. The attributes that the IdP is willing to release are also recorded in the Federation Registry. With this information the Federation creates individual attribute maps for each Identity provider and distributes them using the distribution service. IdPs can be configured to automatically load these maps ensuring all services receive the attributes they require. Automated attribute filters have been provided to reduce your workload in maintaining your IdP and to ensure your users are providing the attributes needed by services. It is fantastic that you are aware of these benefits and have configured your IdP to take advantage. Does your IdP have a high availability configuration By providing a highly available Identity provider you are attempting to reduce the risk of downtime for your users to services in the federation. If your IdP is unavailable your users can not login to any federation services. Your IdP is currently configured for high availability. Page 12 of 23
Where is the IdP deployed? Which organisational area is responsible for the operation of your IdP? Your Identity provider is a key component of the Identity and Access management infrastructure. As such the server that it is deployed on should receive the same level of care and attention as the rest of your IAM servers such as your directory servers. Your Identity provider being a key component of you IAM infrastructure it should be maintained and operated by or in conjunction with the same team as the rest of your IAM systems. In most cases your organisation will have a team that specialises in Identity and Access management, has system administration and security skills and is well versed in running production level systems. This team should also be responsible for your IdP. Your IdP is part of your Identity and access management infrastructure. This infrastructure is essential for the ongoing operation of your organisation. You consider this service important enough to have as a first class citizen within the corporate data centre(s), one that receives highest levels of ongoing operational support, care and attention. What is the status of your IdP in the AAF Test Federation? The AAF operates two parallel federations, test and production. Both federations have the same tools and core services. The test federation is there to provide you an environment for performing upgrades, developing and testing services, etc. To make the most of the test federation you should have an IdP deployed that can be used for these purposes. You have an IdP in the AAF Test Federation which is an accurate reflection of the production IdP and is used in change management activities related to the IdP. This helps to ensure changes you make to your IdP are well tested and proven in the test environment before applying the changes in production where errors could have significant impact on your users. Is your IdP monitored by the AAF Status system? The AAF status system has been provided to allow everyone from the AAF team, to organisational service desks through to end users to quickly identify issues that Your IdP is configured with a number of AAF monitors including the Time Sync monitor, recommended for all components of the federation. Page 13 of 23
may be affecting their ability to use federation services. Having your IdP registered and monitored helps the whole federation. Which version of the Shibboleth IdP software do you have installed? As software ages bugs appear, security issues are identified and enhancements are make. The Shibboleth Identity provider is software and has a history of bug fixes, security patches and enhancements which are well publicised. Your organisation should be tracking the releases of shibboleth and regularly upgrading to the latest versions soon after they are released. Action is recommended. The version of the IdP you have installed is recent but not the current version. We recommend you start planning an upgrade to your IdP in the near future. It is also important that you maintain patch levels as they become available. Which version of the Java JDK do you have installed on your IdP? The Java JDK is software and as such is being regularly patched and updated. The JDK underpins Shibboleth so it too should be tracked for new releases and patched soon after new versions are released. This practice of regular software upgrades and patching should apply to the entire software stack including the operating system. Your JDK and Shibboleth being patched regularly is a good indicator that the rest of your software stack is receiving the regular maintenance it needs to be secure and robust. You are running the latest version of the Java JDK. It is important that you maintain patch levels as they become available. 3.2 User Interface This boost is reviews what your end users experience when using your organisation s IdP and the type of information and services provided by your IdP that will assist them when using federated services. This section has been divided into two sub-sections. The first is corporate branding and information the Page 14 of 23
user interface and organisational information that a user would expect to see on any web page provided by your organisation and specific information that relates to authenticating to services using the IdP. The second is information about the federation and using services that are available. 3.2.1 Corporate Branding and Information This section investigates how well your Identity provider ensures that your users are aware that they are logging into federated services as a member / representative of your organisation and they understand their responsibilities such users. boost Item Status Description boost Does your IdP have your corporate logo and images? Your users, staff and students will regularly be viewing your IdP login page. They will also be using other sites within your organisation. To ensure that your users will be comfortable entering their username and password the login page should have the same corporate logos, images and branding as the rest of your site. Your users should be comfortable using your IdP to login as you have done an excellent job ensuring your corporate banding has been transferred to your IdP. Does your IdP have your corporate colours and fonts? In the same vein, the colours and fonts used on your Identity providers should also match those in general use across the rest of your organisation. Your IdP login page matches your corporate branding. Does your IdP have your standard corporate link shown, eg, Accessibility, Copyright, Disclaimer, Privacy, etc? Your users, who should be familiar with your organisations web site and its layout, should expect to find a similar layout on your Identity provider login page. Common items such as Accessibility, Copyright, Disclaimer, Privacy, should be available. Page 15 of 23
Is the name known by your users for their username / password consistently used on the IdP? Most organisations have created a local name for a user's credentials in place of your Username and Password. Your Identity provider is an extension of your authentication system allowing your users to use their credentials to access resources beyond the university. The name used on the IdP login page to describe these credentials should be consistent with the local name. Are there links to your Support desk provided on your IdP? More often than not users will have problems logging in and they will require support. Providing a link to your support desk from your IdP login page gives them direct access to this support. Your IdP provides a link to your Support Desk. Does your IdP have a link to the Terms of Use or similar page? All organisations should have some form a Terms of Use for their users to access computing resources. A direct link to these conditions will help increase awareness that such conditions exist and some users may actually spend the time to read them. Action is recommended. Your IdP does not provide a link to your organisations Terms of Use, we recommend that one be provided. Does your IdP provide link to recover or manage passwords or other credentials? Users do forget or lose their passwords from time to time particularly if their passwords expire on a regular basis. Providing a link to assist user with their password management may reduce unnecessary support desk calls to reset passwords. Action is recommended. Your IdP does not provide a link to your change or manage password page, we recommend that one be provided. Does the default server page of your IdP lead Page 16 of 23
to an appropriate page? What happens if someone decides to browse to the server, https://idp.uni.edu.au? Do they get redirected to your home site, to a meaningfully error page, a local support page or do they get the web servers out-of-the box web page stating that it is an Apache web server version X.Y or similar. If the latter, you are providing unnecessary information about your infrastructure. The default server page of your IdP leads to an appropriate page. 3.2.2 Federation Information This section extends on the corporate information into the federation ensuring additional federation related information is being provided to users in a user friendly and understandable way. boost Item Status Description boost Does your IdP use the AAF Logo and / or provide links to information about the federation? Your organisation is part of the Australian Access Federation, be proud of it and let your users know. You can even assist your users by provide links to the AAF service catalogue to allowing them to find out what services are available via the federation. The AAF Logos and Links are clearly visible on your IdP. Does your IdP provide guidance for users when they are finished accessing services? The federation does not provide a federation single logout option due to the technical difficulties in doing so, an issue that is well documented and regularly commented on. To ensure users do not inadvertently leave a session logged in particularly on a public computer they should be advised to close their browser when they finish their session. This advice should be clearly stated on the login page. Page 17 of 23
Does your IdP use technical jargon that may not be understood by general users? The use of technical words such as Shibboleth, Identity Provider and Service Provider mean a lot to technical folk but can be indecipherable technical jargon to end users. Your IdP should not use such technical terms, it should use words that are in common usage that provide a clear description of what action the user is about to undertake. Does your IdP clearly show the name of the service the user has selected to access? Your Identity provider has the ability to display the name of the service the user is attempting use. Providing this information helps complete the login workflow keeping the user focused on what they are doing, attempting to use a selected service. Your IdP clearly shows the name of the service the user has selected to access. 3.3 Security Various high-profile hacking attacks and recent announcements of security bugs such as Heartbleed have proven that web security remains the one of most critical identity management issues. Web servers are one of the most targeted public faces of an organisation, and it is important that you use best practice in securing your systems. Although securing a web server can be a daunting operation and requires specialist expertise, it is not an impossible task. This boost looks at two security aspects of your IdP, firstly SSL and Certificates then the Web Server and Server Configuration providing advice on any issues that are identified. 3.3.1 SSL and Certificates The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. Thankfully all of the AAF Identity Providers are no longer Page 18 of 23
vulnerable to this bug. This however is not the only issue related to SSL and Certificates that can affect the security of your IdP. This section looks at a range of security issues related to SSL and Certificates that have been identified in the review of the federations IdPs. Providing a secure environment for your users must be one of your organisations highest priorities we recommend your address all issues identified in this section as a matter of priority to ensure you have all GREEN status flags in the next boost. boost Item Status Description boost Does your IdP Web server use weak cipher suites apart from those required to support older browsers? Action is recommended. Correct mix of ciphers to ensure the highest level of security while maintaining access for users using older browsers. Only the weak but suitable ciphers where identified on your IdP server. We recommend updating you web server to also use the stronger ciphers that are available. See the More information for the list of recommended ciphers. Does your IdP have an older version of the OpenSSL libraries installed? As a result of the HeartBleed bug, many organisations upgraded their OpenSSL Libraries to the latest version. Some however continue to user older versions of OpenSSL libraries that were not affected by HeartBleed. These earlier versions do have a number of vulnerabilities that can only be addressed by upgrading to the latest version of the libraries. Your OpenSSL libraries are at a recent version. Is your IdP susceptible to the OpenSSL CCS Man in the Middle Security Bypass Vulnerability? A number of versions of OpenSSL are prone to a securitybypass vulnerability by a man-in-the-middle attack. This attack does give unauthorised access to your web server but is more difficult to construct. This does not however reduce the potential impact of such an attack. Your OpenSSL libraries are at a recent version. Is your IdP susceptible to the OpenSSL 'ssl3_get_record()' Remote Denial of Service A number of versions of OpenSSL are prone to allows Your OpenSSL libraries are at a recent version. Page 19 of 23
Vulnerability? remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a NULL pointer dereference, related to the minor version number. Is your IdP susceptible to the OpenSSL 'dtls1_retrieve_buffered_fragment()' Remote Denial of Service Vulnerability? A number of versions of OpenSSL are prone to a vulnerability that allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug." Your OpenSSL libraries are at a recent version. Is your IdP using EV SSL Certificates? An Extended Validation Certificate (EV) is an X.509 public key certificate issued according to a specific set of identity verification criteria. These criteria require extensive verification of the requesting entity's identity by the certificate authority (CA) before a certificate is issued. Having an EV SSL certificate for your IdP is an indication to your users that you are very interested in ensuring their safety and privacy by taking the most care that you possibly can in authenticating yourself (through your web site) to them. Action is Recommended. Your IdP is not using an EVL certificate. We Recommends that you obtain an EVL certificate for your IdP. If your organisation is an AusCERT subscriber then access to these certificates is now very simple. Does your IdPs use a certificate that uses the SHA1 signature algorithm? SHA1 has shown signs of weakness for many years. In November 2013, Microsoft announced that they wouldn't be accepting SHA1 certificates after 2016. This has been follow by an announcement by Google that they will start penalizing sites that use SHA1 certificates that expire during 2016 and after. Action is required. Your IdP is using a certificate the uses the SHA1 signature algorithm. We recommend that you obtain a new certificate for your IdP that uses SHA256. For AusCERT certificate subscribers all new AusCERT certificate now use SHA256 by default. Page 20 of 23
Is your IdP susceptible to the OpenSSL Cryptographic Message Syntax Memory Corruption Vulnerability? The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors. Affected servers allow unauthorised disclosure of information, unauthorised modification and disruption of service. 3.3.2 Web Server and Server configuration The web server and server on which your organisation runs its Identity provider should be dedicated to this task, that is no other services should be running. This should result in a server that has a minimal configuration which minimised the number of attack vectors available to intruders with a resulting improvement to the security of your Identity Provider. This section investigates a number of issues that relate to security issues identified on Web servers and operating systems on which the IdPs have been deployed. Providing a secure environment for your users must be one of your organisations highest priorities we recommend your address all issues identified in this section as a matter of priority to ensure you have all GREEN status flags in the next boost. boost Item Status Description boost Does your IdP web server limit the information emanating from the server in its response headers? Attacks on HTTP servers typically exploit a bug or vulnerability. These vulnerabilities are specific to vendors. By removing the server versioning information from the headers, you make attacks on the HTTP server less vendor specific and generally less effective. Your IdP Web server only releases the minimal amount of information. Page 21 of 23
Does your web server have PHP installed? PHP is a popular general-purpose scripting language that is especially suited to web development. It is not required for the operation of a Shibboleth based IdP and should not be installed on the server running your IdP. PHP is not installed on your IdP web server. Does your tomcat installation have the default files and applications installed? The default install of tomcat comes with documentation and examples which should be removed as part of the IdP installation. The default files and applications are not installed on your Tomcat server. Is your IdP Web Server susceptible to the Apache httpd Web Server Range Header Denial of Service Vulnerability? A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server prior to version 2.2.20. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. Your web server is not susceptible to this vulnerability. Is your IdP Web Server susceptible to the http TRACE XSS attack? Web servers that are configured with the TRACE and/or TRACK methods, which are used to debug web server connections, have been shown to be subject to cross-sitescripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. Your web server does not have the TRACE and / or TRACK methods configured. Page 22 of 23
Is your IdP Web Server prone to cookie information disclosure vulnerability? The Apache Server is prone to an information-disclosure vulnerability. The issue occurs in the default error response for status code 400. Successful exploitation will allow attackers to obtain sensitive information that may aid in further attacks. The vulnerability affects Apache HTTP Server versions 2.2.0 through 2.2.21. Your web server is not prone to this vulnerability. Is your IdP web server running the AjaXplorer with zoho plugin that is prone to directory traversal vulnerability? Zoho plugin for AjaXplorer could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to the save_zoho.php script containing "dot dot" sequences (/../) to view arbitrary files on the system. Your web server is not running the Zoho plugin for AjaXplorer. Does the server your IdP is running on only have the minimal required network ports open? A Shibboleth IdP only requires ports 443, 8443 and optionally port 80 to operate correctly. Your server has only the required ports open. Page 23 of 23