Removal of WAYF protocol from CDS (Central Discovery Service) on 28 June 2022

Posted on Wednesday, 22 June 2022

The work to remove the legacy WAYF protocol support from our CDS is progressing well. Helpdesk staff have worked with almost all operators of WAYF-using service providers (SPs) to migrate to the DS protocol (which supports SAML 2) or alternative discovery solutions. There are a handful of cases where we have had no response from the SP operators after repeated attempts, and we are continuing to chase these SP operators.

A consequence of this work is that IdP operators will no longer be easily able to test SAML 1 endpoints using the UK federation Test SP (because we used the WAYF protocol, too). If you need alternative options, or have any questions, please contact Matt Huckson through the UK federation helpdesk at

Edited by MatthewSlowe

Important Shibboleth Identity Provider (IdP) update V4.1.6

Posted on Friday, 1 April 2022

The Shibboleth project has released V4.1.6 of the Identity Provider [1] to address this week's Spring vulnerability. If you are running Shibboleth V4.1.x already this should be a straight forward upgrade.

We would like to take this opportunity to remind participants in the UK federation running the Shibboleth IdP to maintain and regularly update the software.

The following is the announcement from the Shibboleth project [4];

We do not have any specific knowledge that this vulnerability affects the IdP and a fair amount of insight that it may well not, but the Spring project hasn't corroborated our research by clearly pointing to the feature we think triggers the bug, so we're erring on the cautious side and just assuming we're vulnerable and believe deployers should do so as well. I've updated the security page [3] to reflect that assumption.

V4.2.0 is imminent but is a minor upgrade without a definite release date so waiting for it is not likely the best course for most.

Note: if you are using the other SAML software or running the Shibboleth Service Provider you are not affected by this announcement, but you should still maintain software and update software in your control and/or work with your vendor or third-party support to determine if you maybe affected by any software vulnerabilities, including the recently announced Spring4Shell vulnerability [2]

If you are not already subscribed, please make sure you are signed up to the Shibboleth announce list [5] to receive these announcements direct from the Shibboleth project.


Edited by SteveGlover

UK federation "Town Hall" week webinars

Posted on Friday, 25 March 2022

All next week (28 March 1 April), we are running virtual UK federation "town hall" lunchtime webinars via Zoom. Anyone is welcome to join. The sessions will be live, covering a variety of topics, with plenty of opportunity for you to ask questions.

Please email to register, and to request any topics you would like to see covered during the sessions.

Please click through for programme details....
Edited by SteveGlover

Shibboleth IdP 4.1.4 / Jetty v9.4.39 known issue with high CPU usage

Posted on Thursday, 27 January 2022

We've become aware of an issue with Jetty version 9.4.39 where some deployers of this version are experiencing unexplained high CPU usage which, in some cases, causes the service to become unusable.

We believe this applies to deployers of:

  • Shibboleth Identity Provider v4.1.4 using Windows MSI and the bundled Jetty
  • Other platforms (such as Linux) using Jetty 9.4.39

Other versions of Jetty may be affected.

If you have any queries about this recommendation, please contact

read more... Edited by MatthewSlowe

Update to UK federation Rules of Membership

Posted on Friday, 14 January 2022

The UK federation has revised the Rules of Membership to reflect the introduction of charging for Service Provider members effective from January 1st 2022.

The revised rules can be found here:

read more... Edited by SteveGlover