2021-08-03
- Update all links to the Shibboleth Wiki that moved into the cloud.
- Add 'Update the messages.properties configuration' to the 'Upgrading from version 3.3.x to 3.4.x' section.
2021-03-30
- Update
idp-install.sh
to generate a key pair with a self-signed certificate valid for 10 instead of 3 years. Default key size is since IdPv3.4 already 3072 bits.
2021-03-09
- Add template for
uidNumber
attribute to theattribute-resolver-other.xml
file and align desciption foruid
.
2021-01-04
- Increased minor version number from 3.4.7 to 3.4.8
- Fixed broken lnk to Topmcat Wiki
2020-09-09
- Add missing template for the
ou
attribute to theattribute-resolver-other.xml
file.
2020-07-30
- Increased minor version number from 3.4.6 to 3.4.7
2020-05-07
- Add upgrade hint for deprecated
requestContext.principalName
method.
2020-02-13
- Fixed the attribute-filter download URL (inserted
_v4
) in General IdP settings so that the IdPv3.4 loads the attribute-filter in its new, more compact, IdPv4 forward compatible schema. - The IdPv3.4 upgrade instructions now include the step to modify the attribute-filter download URL.
2020-02-11
- Introduced the missing second step in the IdP status URL configuration to define the property
idp.status.accessPolicy
. - Added a hint to HTML Local Session Storage to tailor the property
idp.footer
.
2020-01-22
- Added the config for HTML Local Session Storage in
conf/idp.properties
to ensure that SSO also works with new browser versions that default toSameSite=Lax
.
2019-10-15
- Updated the references to the latest version to IdP 3.4.6.
- Updated the IdP status URL configuration in
conf/access-control.xml
to limit the access to the status page only.
2019-02-18
- Updated
metadata-provider-*
files in chapter Federation metadata configuration:
Removes the deprecatedmetadata:ChainingFilter
, it's no longer necessary.
Fetch the updated files and replace the currently active ones after reviewing the changes. - Updated
attribute-resolver-*
files in chapter Attribute resolution configuration:
Replaces all deprecated tags or elements, namelysourceAttributeID
andDependency
. AddsencodeType="false"
to theAttributeEncoders
to suppress unnecessary type info in the SAML assertion. The new files are IdPv4 compatibile.
Fetch the updated files and carefully compare them with your currently active files. You need to modify the new files for your user directory environment! - Updated script for
credentials/rotate-sealer.sh
. It no longer uses a Java class but theseckeygen.sh
script.
2018-11-13
- Modifies the default
attribute-resolver-connectors.xml
file to configure a<ConnectionPool>
for the<DataConnector>
.
See also these upgade instructions: Configure an Attribute Resolver Connection Pool - Updates the User Authentication section to make use of the explicit certificate trust configuration instead of the JVM trust store.
2018-07-12 Adds warning for RHEL/CentOS to chapter '5.1 PostgreSQL Installation' that recent
Therefore, any future rebuild of
postgresql-jdbc
RPM from the disto requires Java 8 instead of Java 7.Therefore, any future rebuild of
idp.war
will fail unless you replace the postgresql-jdbc
driver by one for Java 7.2018-06-01 Guide updated to make use of the newly published metadata file with only SP entities instead of the slightly bigger legacy file with SP as well as IdP entities.
- Replace the metadata provider file in
/opt/shibboleth-idp/conf
with the updated version using one of these two statements, depending on the federation your IdP is registered with:sudo curl -O https://www.switch.ch/aai/guides/idp/installation/metadata-provider-switchaai.xml
sudo curl -O https://www.switch.ch/aai/guides/idp/installation/metadata-provider-aaitest.xml
2018-05-16 Guide updated for IdPv3.3.3 (affects download links only)
2018-04-18 Bug fixed in
attribute-resolver-interfederation-core.xml
for schac:homeOrganizationType
values higherEducationalInstitution
and educationalInstitution
2017-10-05 Adds step 4) to replace
pc:
prefix occurances in the XML Namespace Cleanup in Attribute Resolution Configuration section.2017-10-04 Guide updated for IdPv3.3.2
- The guide now covers IdPv3.3.2
- Adds new section Limit Cookies to Secure Connections
- Adds two new sections to upgrade instructions from 3.2.x to 3.3.x:
- Adds the previously missing changes to be applied to the
services.xml
file in section Update the messages.properties configuration as part of the upgrade instructions from 3.2.x to 3.3.x - Adds the optional configuration to separate local changes to
messages.properties
intolocal.properties
files in section Messages Translation - XML namespace cleanup applied to default
attribute-resolver-*.xml
files referenced in the Attribute resolution configuration section.
2017-06-08 New link to LDIF files in the Attribute resolution configuration section.
2017-04-21 New Note in Upgrading from version 3.2.x to 3.3.x that update overwrites
system/messages
2017-03-20 Guide updated for IdPv3.3.1
- The guide now covers IdPv3.3.1
- Fixes the path for the message translations for IdPv3.3.x. These
messages_XX.properties
files need to go into/opt/shibboleth-idp/messages/
directory. In the earlier proposedsystem/messages
directory they get overwritten the next time you run the installer!
2017-02-23 Guide updated for IdPv3.3
- The guide now covers IdPv3.3 and includes a section on how to upgrade from 3.2.x to 3.3
2016-06-02 Explicit choice of language in the login form
2016-12-20 HTML encoding fixed to correctly display code snippets in pop-up windows
- Code snippets displayed in pop-up windows were not always correct since pop-up windows do not evaluate JavaScript.
2016-06-02 Explicit choice of language in the login form
- A new reference in 'Login form customization' points to the details in the Shibboleth Wiki on how to switch locale.
2016-06-02 Messages Translation upgraded to an own chapter
- Messages Translation was only a section in 'Login form customization', now it is an own chapter.
2016-05-24 Remove two IP addresses from shibboleth.IPRangeAccessControl
- The two IP addresses of the former Resource Registry were removed from the shibboleth.IPRangeAccessControl bean.
2016-05-18 Fixed two broken links
- Two links pointing to the Shibboleth Wiki were fixed since the pages they were pointing to moved.
2016-03-04 Translation messages
- An example was added to show how to adapt your translation messages.
2016-03-04 A note about Java8 and Tomcat8
- We added links to the shibwiki in case you need to install Tomcat 8 and Java 8.
2016-02-24 Available RAM size dynamically suggests Tomcat Memory configuration
- Available RAM size is a new setup input field. Its value affects the suggested
JAVA_OPTS
setting for Tomcat.
2016-02-23 New section on Final Tests
- Test whether your IdP properly responds to SAML Attribute Queries.
2016-02-11 Apache Configuration enhanced
- In the Apache Configuration, the
X-Frame-Options DENY
was added to prevent iframe embedding and HTTP Strict Transport Security (HSTS) was enabled.
2015-12-22 Update for 3.2.1 release
- The updated template for
consent-intercept-config.xml
makes use of the newly introduced AttributeDisplayOrder list.
2015-12-17 Reorganise 3.1 to 3.2 upgrade procedure
- Rearranged upgrade instructions so that those that require the IdP to be stopped (database migration) are grouped at the end.
- Added explicit mention of when Tomcat should be stopped.
- Fixed database migration SQL commands to preserve constraints on the storagerecords table.
2015-12-07 PostgreSQL
- In addition to the daily PostgreSQL backup, we added a second cron entry which creates an hourly backup additionally.
2015-11-27 We improved the guide for version 3.2 with the following changes:
- Change of the PostgreSQL Database structure and provide a script to migration to the new DB structure
- In
idp.properties
, the auto-generated metadata under the URL of the IdP's entity ID is disabled - AttributeFilter: change to the new syntax in
idp.properties
attribute-resolver-other.xml
was added to the standard configuration. All attributes buteduPersonEntitlement
with thecommon-lib-terms
value are commented out by default.- persistendID: we no longer need to detour the additional attribute definition for
swissEduPersonUniqueID.withoutAttributeEncoder
saml-name-id.properties
: we replaced idp.persistentId.store with the new property idp.persistentId.dataSourceattribute-resolver-connectors.xml
: the bug with the random-salt is fixed, so the work-around can be removed- New
consent-intercept-config.xml
file with a defined ordering for the attribute release consent dialog as well as an an extended blacklist that covers also the usually cryptic unique identifiers.
2015-11-10 PostgreSQL
- To avoid problems with data loss when running vacuumlo: Change of the database structure, large objects are no longer needed