Successful Attribute Release and eduGAIN IdP Health Check Webinar

Posted on Friday, 24 May 2019

The following webinar is being advertised on behalf of GÉANT and the eduGAIN interfederation service (of which the UK federation is a member).

Still too often accessing federated services today does not work because attribute release at the Identity Provider does not work. This is frustrating for end users, services and the research collaborations operating many eduGAIN services. Bad attribute release hinders research!

The webinar takes place on 03 July 2019 from 10:00 to 11:00 am CEST (09:00 to 10:00 BST / UK local time),

read more...

Edited by AlexStuart (Permalink)

Shibboleth Identity Provider 3.4.4 now available

Posted on Thursday, 23 May 2019

The Shibboleth Project has released v3.4.4 of the Identity Provider (IdP) software, this is a patch release containing a number of bug fixes. The UK federation recommends that you run the latest version of the IdP software, and upgrade as soon as your maintenance schedules allow. Please see the Shibboleth IdP Release Notes

Upgrading to v3.4.x is an important step in maintaining your Shibboleth IdP, as it should be possible to in-place upgrade from an existing IdP v3 to this version. This version identifies a number of deprecation warning messages, and you will need to work to resolve the issues identified prior to the release of Shibboleth IdP v4 (expected to be released later in 2019).

We will be releasing further and updated guidance on our website shortly. In the meantime you may wish to review the following page about Deprecation in IdP v4

Edited by JonAgland (Permalink)

Shibboleth SP 3.0.4.1 Update for Windows

Posted on Tuesday, 26 March 2019

There's been a service update [1][2] to the SP installers for Windows labeled V3.0.4.1 to make a fix for the bug where a non-default handlerURL fails with the IIS 7 module [3]. To be clear: this only affects your Shibboleth SP deployment if you are running Windows AND IIS 7 AND have set handlerURL in the ApplicationDefaults or ApplicationOverride elements.

This is the only change in the packages, so is only relevant for IIS 7+ deployments. This is an atypical release process that would normally be done as a full patch, but that would delay the fix for an indeterminate period and the bug has been causing a lot of problems and traffic on the Shibboleth Users list, so it was the most expedient solution.

[1] http://shibboleth.net/downloads/service-provider/3.0.4/win32/
[2] http://shibboleth.net/downloads/service-provider/3.0.4/win64/
[3] https://issues.shibboleth.net/jira/browse/SSPCPP-856

Edited by AlexStuart (Permalink)

Shibboleth Service Provider 3.0.4 now available

Posted on Wednesday, 13 March 2019

The Shibboleth Project has released V3.0.4 of the Service Provider, a patch release, along with patch releases of the xmltooling (V3.0.4) and opensaml (V3.0.1) libraries. This is a bug fix release, and also addresses a denial of service vulnerability. The UK federation recommends that you upgrade to this version.

Please see the Shibboleth SP Release Notes and the three emails in shibboleth-announce for more information.

Edited by AlexStuart (Permalink)

Shibboleth Service Provider 3.0.3 now available

Posted on Tuesday, 5 February 2019

A third patch release of the Service Provider software is available which corrects a denial of service vulnerability. Please see The Release Notes for more information. The UK federation recommends that you upgrade to this version.

If you are using Red Hat and compatible systems, you can "yum update" to the latest version. Alternatively, you can find the latest versions in all formats on the shibboleth.net website.

The Windows installers include some other library updates, including OpenSSL 1.1.1a, which includes TLS 1.3 support for the first time.

Edited by AlexStuart (Permalink)

Version 1.2.1 of Shibboleth Embedded Discovery Service now available

Posted on Friday, 1 February 2019

The Shibboleth Project has released a bugfix (version 1.2.1) of the Embedded Discovery Service. This is a bug fix that prevents new installations of the EDS from acting as an open redirector. Existing systems will continue to function as one until locked down, but the presence of the new setting will prevent this behaviour.

If your Service Provider uses this product, we recommend that you upgrade to the new bugfix version.

Please read the EDS Release Notes for more information.

Edited by AlexStuart (Permalink)