UK Access Management Federation
for Education and Research

Removal of WAYF protocol from CDS (Central Discovery Service) on 28 June 2022

Posted on Wednesday, 22 June 2022

The work to remove the legacy WAYF protocol support from our CDS is progressing well. Helpdesk staff have worked with almost all operators of WAYF-using service providers (SPs) to migrate to the DS protocol (which supports SAML 2) or alternative discovery solutions. There are a handful of cases where we have had no response from the SP operators after repeated attempts, and we are continuing to chase these SP operators.

A consequence of this work is that IdP operators will no longer be easily able to test SAML 1 endpoints using the UK federation Test SP (because we used the WAYF protocol, too). If you need alternative options, or have any questions, please contact Matt Huckson through the UK federation helpdesk at service@ukfederation.org.uk

Important Shibboleth Identity Provider (IdP) update V4.1.6

Posted on Friday, 1 April 2022

The Shibboleth project has released V4.1.6 of the Identity Provider [1] to address this week's Spring vulnerability. If you are running Shibboleth V4.1.x already this should be a straight forward upgrade.

We would like to take this opportunity to remind participants in the UK federation running the Shibboleth IdP to maintain and regularly update the software.

The following is the announcement from the Shibboleth project [4];

We do not have any specific knowledge that this vulnerability affects the IdP and a fair amount of insight that it may well not, but the Spring project hasn't corroborated our research by clearly pointing to the feature we think triggers the bug, so we're erring on the cautious side and just assuming we're vulnerable and believe deployers should do so as well. I've updated the security page [3] to reflect that assumption.

V4.2.0 is imminent but is a minor upgrade without a definite release date so waiting for it is not likely the best course for most.

Note: if you are using the other SAML software or running the Shibboleth Service Provider you are not affected by this announcement, but you should still maintain software and update software in your control and/or work with your vendor or third-party support to determine if you maybe affected by any software vulnerabilities, including the recently announced Spring4Shell vulnerability [2]

If you are not already subscribed, please make sure you are signed up to the Shibboleth announce list [5] to receive these announcements direct from the Shibboleth project.

[1] http://shibboleth.net/downloads/identity-provider/latest/
[2] https://tanzu.vmware.com/security/cve-2022-22965
[3]https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631889/SecurityAdvisories
[4] http://shibboleth.net/pipermail/announce/2022-March/000260.html
[5] https://shibboleth.net/mailman/listinfo/announce