Removal of triple scope and UKFederationMember elements from UK federation metadata aggregate publications

Posted on Monday, 1 November 2021

We are implementing today some planned changes to a few aspects of the UK federation's metadata which were announced in August (2021-08-25-new-federation-documents) and reproduced below.

These changes are not expected to cause operational issues however if any issues do arise, please contact our Support Desk (FedSupport) as usual.

read more... Edited by MatthewSlowe

MDQ metadata increasing to 21 days validity

Posted on Wednesday, 1 September 2021

On 1 September, we will be increasing the validity period of metadata from the MDQ service from 14 days to 21 days, to provide more resilience and to bring it in line with our metadata aggregate. If you are using the MDQ service, you should ensure that your deployment is configured to accept metadata with this validity period.

read more... Edited by JonAgland

New releases of federation documents and timeline for removal of features

Posted on Wednesday, 25 August 2021

We are pleased to announce that new versions of the FTS (Federation Technical Specifications) and TRP (Technical Recommendations for Participants) have been published at This is the first revision since 2014. It announces a new service and provides a timeline for removal of features that have reached their end-of-life.

read more... Edited by AlexStuart

Service Provider Membership charges

Posted on Thursday, 15 July 2021

From January 2022, the UKAMF will begin charging service providers (most typically publishers) a small fee for annual membership of the federation.

All publicly funded higher education, further education, school, research, local council and national library organisations in the UK, including UK higher education owned university presses are EXEMPT from this charge.

read more... Edited by MarkWilliams ?

Subject Identifiers Webinar

Posted on Friday, 28 May 2021

The team at Jisc supporting the UK federation, hosted a webinar on the 26th May 2021 covering the topic of Subject Identifiers in the federation, which is relevant for all participants. This a chance to introduce the issue of dealing with Subject Identifier (including the widely used eduPersonTargetedID) and the issues of those transitioning and changing with the UK federation. This webinar is relevant to both IdP and SP operators, as well as maintainers of applications that operate within a federated environment. We would also like to open up discussion on the topic during the webinar.

read more... Edited by JonAgland

Binary Attributes during IdP upgrading

Posted on Thursday, 27 May 2021

Shibboleth Identity Provider (IdP) operators must pay particular attention to the changes related to Binary Attributes during upgrades of the IdP within v3 and between v3 and v4. Operators who follow our guidance (Deprecated features in Shibboleth IdPv3 will be removed in v4 documentation and IdP v4 upgrade), including testing as described below, should not experience any issues.

read more... Edited by JonAgland

ForceAuthn Issues

Posted on Monday, 19 April 2021

When doing a SAML authentication loop, a Service can set a ForceAuthn flag which demands that the Identity Provider "MUST authenticate the presenter directly rather than rely on a previous security context" which should be interpreted along the lines of "must reauthenticate the user" or "must prove user presence" and that assuming a current (cookie authenticated) session is not acceptable.

This is known to cause issues in some use-cases, for example where IdP operators are using the RemoteUser authentication flow in Shibboleth IdP rather than the default Password flow. While there are ways to work around this issue by updating the IdP configuration, this can render the IdP non-compliant.

The RemoteUser flow is often used to delegate the authentication step to another IdP (usually ADFS or Azure). Shibboleth Identity Provider v4 introduced support for SAML Proxying which supports this workflow natively, without needing the RemoteUser call-out, and as such, supports the ForceAuthn flag correctly.

If your IdP is using the RemoteUser flow in this way then, to ensure compliance with the relevant specifications, our strong recommendation is that you consider moving to the native SAML Proxying functionality when you've upgraded to v4.

See also:

read more... Edited by MatthewSlowe

Programme to strengthen XML encryption in the UK federation kicks off on 23 February

Posted on Tuesday, 16 February 2021

Please find below, the text of an email sent to the Jisc-shibboleth mailing list earlier today, which outlines the plans for how the UK federation will raise the strength of XML encryption across the UK federation.

read more... Edited by SteveGlover