UK federation News

ForceAuthn Issues

Posted on Monday, 19 April 2021

When doing a SAML authentication loop, a Service can set a ForceAuthn flag which demands that the Identity Provider "MUST authenticate the presenter directly rather than rely on a previous security context" which should be interpreted along the lines of "must reauthenticate the user" or "must prove user presence" and that assuming a current (cookie authenticated) session is not acceptable.

This is known to cause issues in some use-cases, for example where IdP operators are using the RemoteUser authentication flow in Shibboleth IdP rather than the default Password flow. While there are ways to work around this issue by updating the IdP configuration, this can render the IdP non-compliant.

The RemoteUser flow is often used to delegate the authentication step to another IdP (usually ADFS or Azure). Shibboleth Identity Provider v4 introduced support for SAML Proxying which supports this workflow natively, without needing the RemoteUser call-out, and as such, supports the ForceAuthn flag correctly.

If your IdP is using the RemoteUser flow in this way then, to ensure compliance with the relevant specifications, our strong recommendation is that you consider moving to the native SAML Proxying functionality when you've upgraded to v4.

See also:

read more... Edited by MatthewSlowe

Programme to strengthen XML encryption in the UK federation kicks off on 23 February

Posted on Tuesday, 16 February 2021

Please find below, the text of an email sent to the Jisc-shibboleth mailing list earlier today, which outlines the plans for how the UK federation will raise the strength of XML encryption across the UK federation.

read more... Edited by SteveGlover

End of life for Shibboleth IdP v3 and IdP v4 upgrade guide

Posted on Friday, 2 October 2020

In March 2020, the Shibboleth IdP v4 was released, at the same time the Shibboleth IdP v3 end of life was announced, which will be the 31st December 2020.

The Trust and Identity team at Jisc supporting the UK federation have now made available an IdP v4 upgrade guide

read more... Edited by JonAgland

Shibboleth Service Provider Security Advisory 31st August 2020

Posted on Tuesday, 1 September 2020

A security advisory [1] has been released for the Shibboleth Service Provider involving deployments running on Windows and using the "modern" module for Microsoft IIS V7+. This module contains a flaw that can be triggered remotely, resulting in a potential denial of service condition exploitable by an unauthenticated attacker. Also, a service patch for the Windows distribution of the Service Provider software is now available [2]. This update contains a fix for a bug [3] in the IIS module. Other important information can be found in the release notes which should be reviewed when upgrading [4].

read more... Edited by SteveGlover

UK Federation Town Hall Week

Posted on Monday, 1 June 2020

Wed hoped to do this in person, but obvious reasons mean we are running virtual UK federation "Town Hall" sessions across a whole week of 8th-13th June (at lunch times 1-2pm), using Zoom. Well be covering a variety of topics and plan on the sessions being not entirely didactic. So please come armed with questions. If there is anything you would like to see covered, please email me ( in the next week and well see if we can add it in.


  • Baseline in the UK federation
  • CoC, R&S, Sirtfi & other attributes
  • Shibboleth health check lessons
  • Publisher round table: Ask anything
  • SSO & aspects of content piracy
  • Delegated authentication
  • Readiness for Shibboleth v.4
  • VerifID: Commercial Student Verification
  • About T&I Consultancy

read more... Edited by MarkWilliams ?