Shibboleth Service Provider 3.0.2 now available

Posted on Friday, 10 August 2018

Last month saw the release of version 3 of the Shibboleth SP, quickly followed by a bugfix release and then a security release. The security advisory reports that there is vulnerability in a library used by versions 2 and 3 of the SP which can allow a denial of service attack on the SP. The vulnerability can only be mitigated by upgrading to the latest version of the SP, version 3.0.2, and there is no fix for the 2.x branch [1][2].

We recommend that you upgrade your Shibboleth software at the earliest convenient opportunity. The upgrade process is designed to be seamless and is functionally the same as upgrading V2 in the past [3]. However please note that there are some differences in default behaviour in SP V3 that may affect operation within the UK federation, and so you should follow good practice by studying the release notes and performing an upgrade on a test system first.

In particular, there is a specific combination of factors that could lead to loss of personalisations for accounts associated with the small number of IdPs that release an incorrectly-formatted eduPersonTargetedID attribute. If ALL the following apply to your SP, then there is a risk of a loss of personlisations in an upgraded system. The factors are:

- Your Shibboleth SP supports personalisations such as saved searches or display settings

AND

- Your Shibboleth SP uses either the targeted-id or REMOTE_USER variables to identify returning users

AND

- You have not edited the attribute-map.xml to map the incorrect form into the newer form

This is a rare combination of factors, although more likely if your SP continues to use SAML 1 rather than the recommended SAML 2 protocol messages. You are welcome to contact the UK federation helpdesk and we can work with you to determine whether you may be affected and how to address the issue.

Edited by AlexStuart on 10 August 2018, at 01:42 PM