AAI Emergency Procedures

This page describes the procedures that should be followed in case a Service Provider (SP) or Identity Provider (IdP) was compromised due to a security breach. In particular, if an attacker could have got access to the private key that is used by Shibboleth to sign assertions or to authenticate against another component. In such a situation, one should first try to get in contact with the AAI team. If that is for reason not possible immediately, please read the instructions below how to react.

Contact the AAI Team

During office hours on week days the AAI team can be contacted by phone +41 44 268 1505 or email aai@switch.ch. Sometimes it can happen that all team members are in a meeting or otherwise not available. In such a case, please contact SWITCHcert (computer emergency response team) instead and ask for assistance.

Service Provider Emergency

If a host was compromised where a Shibboleth Service Provider is operated on, an attacker could collect user attributes provided by AAI. Usually these attributes are not very sensitive but in theory they could be. Therefore, it is important to prevent users from logging in on any applications of that host. This can best be achieved by shutting down the host or the (web) service. After that, the host's web server and Shibboleth certificate should be revoked immediately to prevent an attacker from setting up his own host using the compromised certificates.
Therefore, please follow these steps:

  • Step 1: Shut down the SP host
    Just shutting down the web server may not be enough because if the host was compromised it's likely that an attacker installed a backdoor service that allows to log in even if SSH, the web server or other services are shut down.
  • Step 2: Remove X.509 certificate from Resource Registry/metadata
    The X.509 certificate in the context of Shibboleth is used to sign assertions or make attribute requests in the name of the SP in order to query user attributes. You should also make sure that the web server certificate is revoked at the CA that issued it. Because an attacker may have stolen the private key relevant for Shibboleth, it is important to make sure that the certificate belonging to the compromised private key is not accepted anymore by Identity Providers. This can be achieved by these steps:
    1. Go to the Resource Registry
    2. Click on the "Resource Admin" tab
    3. Click on the Edit icon below the Resource Description of the compromised Service Provider
    4. Click on "6. Used Certificates"
    5. Delete or replacing the embedded certificate in the text area like shown in the following screenshot.
    6. Click on the "Apply" button.
    7. Return to the Resource Description menu.
    8. Provide a comment saying that it hurries and then click on the "Submit for Approval button".
  • Step 3: Inform SWITCHcert
    Next you should try to find out how the host could be compromised. This usually is not trivial and requires special skills. Therefore, it's best to ask the specialists for help. If your organisation is part of the SWITCH community, please contact SWITCHcert for assistance.
  • Step 4: Set up host from scratch
    Finally, you should set up the host from scratch because the compromised may contain malware and back doors even though anti virus applications couldn't find anything. Therefore, it's safest to perform a clean installation be backing up important data, erasing all data from the hard drives and install the services again.

Identity Provider Emergency

If a host is compromised that servers as AAI Identity Provider (IdP), it is of great importance to make sure that the IdP's private key cannot be used anymore so sign identity assertions that are accepted by Service Providers. Therefore, the certificate belonging to the potentially compromised private key must be removed immediately from metadata. However, it may be that this is not possible anymore by the IdP administrator himself because the Identity Provider already is shut down or is not functional anymore.
Therefore, please follow these steps:

  • Step 1: Shut down the IdP host
    It is important to prevent users of your organization from authenticating at the compromised IdP because an attacker could easily intercept usernames and passwords. What's more, the attacker could use the IdP's credentials to get read access to the user directory that the Identity Provider requires.
  • Step 2: Let SWITCH disable the compromised Identity Provider
    Call the AAI team 044 268 1505 and ask to disable the Identity Provider. We then will try to identify you in order to validate your request. If we cannot identify you or in case the AAI team is not reachable, please use the following approach:
    Assuming there is a chain of trust like in the following picture, it's also possible to hand in the request to disable an IdP via an alternative route.
    In the two above-mentioned cases, please contact the security staff members of your organisation and ask them to forward the request to the SWITCHcert team as shown in the figure below. Because there is most likely a trust relationship between SWITCHcert and your organisation's security staff members, the SWITCHcert team then can forward the request to the AAI team or even disable the Identity Provider themselves.

  • Step 3: Inform SWITCHcert
    Next, you should try to find out how the host could be compromised. This usually is not trivial and requires special skills. Therefore, it's best to ask the specialists for help. If your organisation is part of the SWITCH community, please contact SWITCHcert for assistance.
  • Step 4: Set up host from scratch
    Finally, you should set up the host from scratch because the compromised may contain malware and back doors even though anti virus applications couldn't find anything. Therefore, it's safest to perform a clean installation be backing up important data, erasing all data from the hard drives and install the services again.

Short Summary

In cases an incident is detected on the host where an AAI Service Provider or Identity Provider is operated, please contact the following people in this order:

  1. AAI Team: +41 44 268 1505
  2. Your organization's security people
  3. SWITCHcert Team: +41 44 268 15 40