We have stopped warning about expiring self-signed trust fabric certificates

Posted on Thursday, 31 October 2019

The UK federation follows the SAML Metadata Interoperability Profile. This profile requires that a trust fabric certificate in metadata is treated only as a convenient wrapper for a cryptographic public key, with none of the additional semantics normally associated with certificates, such as a check against its expiry date.

read more... Edited by AlexStuart

End of Support for Shibboleth V2 Identity Provider

Posted on Thursday, 17 October 2019

The UK federation will be ending its support for Shibboleth V2 Identity Provider (IdP) deployments on December 31st 2019.

Why we are doing this:

Shibboleth IdP v2 IdP deployments have been End of Life since July 2016 and ending support for this will allow effort to be focused on current deployments.

Who does this concern:

The UK federation support team has contacted institutions and organisations known to be running Shibboleth IdP v.2 software, however it is possible that some remain unidentified in which case if you believe your institution may be running Shibboleth IdP v2 please consider the action detailed below.

read more... Edited by SteveGlover

Shibboleth IdP version 4

Posted on Monday, 14 October 2019

The next version of the Shibboleth IdP (version 4) will remove some configuration elements that IdP deployers in the UK federation rely on. Every Shibboleth IdP deployer must change their configuration to use the new elements that have been available since v3.4.0. The changes are typically small and well-defined, and IdP 3.4 will log warnings for deprecated elements. The UK federation lists the most relevant actions in Deprecated features in Shibboleth IdP v3 will be removed in v4 (https://www.ukfederation.org.uk/content/Documents/DeprecationIdPv4). You have a few months window of opportunity to reconfigure deprecated elements to ensure a smooth transition to IdP v4 when it is released.

read more... Edited by SteveGlover

Successful Attribute Release and eduGAIN IdP Health Check Webinar

Posted on Friday, 24 May 2019

The following webinar is being advertised on behalf of GÉANT and the eduGAIN interfederation service (of which the UK federation is a member).

Still too often accessing federated services today does not work because attribute release at the Identity Provider does not work. This is frustrating for end users, services and the research collaborations operating many eduGAIN services. Bad attribute release hinders research!

The webinar takes place on 03 July 2019 from 10:00 to 11:00 am CEST (09:00 to 10:00 BST / UK local time),

read more... Edited by AlexStuart

Shibboleth Identity Provider 3.4.4 now available

Posted on Thursday, 23 May 2019

The Shibboleth Project has released v3.4.4 of the Identity Provider (IdP) software, this is a patch release containing a number of bug fixes. The UK federation recommends that you run the latest version of the IdP software, and upgrade as soon as your maintenance schedules allow. Please see the Shibboleth IdP Release Notes

Upgrading to v3.4.x is an important step in maintaining your Shibboleth IdP, as it should be possible to in-place upgrade from an existing IdP v3 to this version. This version identifies a number of deprecation warning messages, and you will need to work to resolve the issues identified prior to the release of Shibboleth IdP v4 (expected to be released later in 2019).

We will be releasing further and updated guidance on our website shortly. In the meantime you may wish to review the following page about Deprecation in IdP v4 Edited by JonAgland

Shibboleth SP Update for Windows

Posted on Tuesday, 26 March 2019

There's been a service update [1][2] to the SP installers for Windows labeled V3.0.4.1 to make a fix for the bug where a non-default handlerURL fails with the IIS 7 module [3]. To be clear: this only affects your Shibboleth SP deployment if you are running Windows AND IIS 7 AND have set handlerURL in the ApplicationDefaults or ApplicationOverride elements.

This is the only change in the packages, so is only relevant for IIS 7+ deployments. This is an atypical release process that would normally be done as a full patch, but that would delay the fix for an indeterminate period and the bug has been causing a lot of problems and traffic on the Shibboleth Users list, so it was the most expedient solution.

[1] http://shibboleth.net/downloads/service-provider/3.0.4/win32/
[2] http://shibboleth.net/downloads/service-provider/3.0.4/win64/
[3] https://issues.shibboleth.net/jira/browse/SSPCPP-856

Edited by AlexStuart

Shibboleth Service Provider 3.0.4 now available

Posted on Wednesday, 13 March 2019

The Shibboleth Project has released V3.0.4 of the Service Provider, a patch release, along with patch releases of the xmltooling (V3.0.4) and opensaml (V3.0.1) libraries. This is a bug fix release, and also addresses a denial of service vulnerability. The UK federation recommends that you upgrade to this version.

Please see the Shibboleth SP Release Notes and the three emails in shibboleth-announce for more information.

Edited by AlexStuart

Shibboleth Service Provider 3.0.3 now available

Posted on Tuesday, 5 February 2019

A third patch release of the Service Provider software is available which corrects a denial of service vulnerability. Please see The Release Notes for more information. The UK federation recommends that you upgrade to this version.

If you are using Red Hat and compatible systems, you can "yum update" to the latest version. Alternatively, you can find the latest versions in all formats on the shibboleth.net website.

The Windows installers include some other library updates, including OpenSSL 1.1.1a, which includes TLS 1.3 support for the first time. Edited by AlexStuart

Version 1.2.1 of Shibboleth Embedded Discovery Service now available

Posted on Friday, 1 February 2019

The Shibboleth Project has released a bugfix (version 1.2.1) of the Embedded Discovery Service. This is a bug fix that prevents new installations of the EDS from acting as an open redirector. Existing systems will continue to function as one until locked down, but the presence of the new setting will prevent this behaviour.

If your Service Provider uses this product, we recommend that you upgrade to the new bugfix version.

Please read the EDS Release Notes for more information. Edited by AlexStuart