Shibboleth IdP version 5 has been released

Posted on Tuesday, 24 October 2023

In September 2023, the Shibboleth Project released version 5 of the Shibboleth IdP. The Shibboleth Project has also given notice that the planned end of life date for version 4 is 1 September 2024. Until then, they will be issuing security patches for version 4 if necessary, although there will be no further functional enhancements.

The version 5 IdP will require Java 17 and either Jetty 11+ or Tomcat 10+. Please include these requirements into your infrastructure planning.

Secondly, to help deployers of the IdP transition smoothly to the new version, the latest version will log deprecation warnings for features that will be removed in version 5. The replacement will be shown in the log message. The UK federation team encourages all deployers of Shibboleth IdPs to install version 4.3.1 and check your warning log regularly to ensure that you aren’t caught off guard regarding any at risk features.

There is one specific deprecation warning which looks worse than it is. When you release eduPersonTargetedID (configured through an attribute definition with xsi:type 'SAML2NameID') you will see warnings "This will be removed in the next major version of this software; replacement is (none)". The UK federation have engaged with Shib project developers, and we are grateful that they have agreed to retain the feature. In version 5, the deprecation warnings have been converted to at risk warnings, to reflect that removal is under consideration but not planned (https://marc.info/?l=shibboleth-users&m=168595624111817&w=2). However, this is advance notification to all participants in the UK federation that a federation-wide migration away from eduPersonTargetedID will be started shortly.

Edited by SteveGlover on 24 October 2023, at 04:20 PM