UK Access Management Federation
for Education and Research
The UK federation is operated by Jisc and provides a single solution to accessing online resources and services for education and research. Here is some information on how it works and its benefits.
Eligible organisations are invited to join the current membership.
Latest news
Important Shibboleth Identity Provider (IdP) update V4.1.6
Posted on Friday, 1 April 2022
The Shibboleth project has released V4.1.6 of the Identity Provider [1] to address this week's Spring vulnerability. If you are running Shibboleth V4.1.x already this should be a straight forward upgrade.
We would like to take this opportunity to remind participants in the UK federation running the Shibboleth IdP to maintain and regularly update the software.
The following is the announcement from the Shibboleth project [4];
We do not have any specific knowledge that this vulnerability affects the IdP and a fair amount of insight that it may well not, but the Spring project hasn't corroborated our research by clearly pointing to the feature we think triggers the bug, so we're erring on the cautious side and just assuming we're vulnerable and believe deployers should do so as well. I've updated the security page [3] to reflect that assumption.
V4.2.0 is imminent but is a minor upgrade without a definite release date so waiting for it is not likely the best course for most.
Note: if you are using the other SAML software or running the Shibboleth Service Provider you are not affected by this announcement, but you should still maintain software and update software in your control and/or work with your vendor or third-party support to determine if you maybe affected by any software vulnerabilities, including the recently announced Spring4Shell vulnerability [2]
If you are not already subscribed, please make sure you are signed up to the Shibboleth announce list [5] to receive these announcements direct from the Shibboleth project.
[1] http://shibboleth.net/downloads/identity-provider/latest/
[2] https://tanzu.vmware.com/security/cve-2022-22965
[3]https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631889/SecurityAdvisories
[4] http://shibboleth.net/pipermail/announce/2022-March/000260.html
[5] https://shibboleth.net/mailman/listinfo/announce
UK federation "Town Hall" week webinars
Posted on Friday, 25 March 2022
All next week (28 March – 1 April), we are running virtual UK federation "town hall" lunchtime webinars via Zoom. Anyone is welcome to join. The sessions will be live, covering a variety of topics, with plenty of opportunity for you to ask questions.
Please email mark.williams@jisc.ac.uk to register, and to request any topics you would like to see covered during the sessions.