Shibboleth Service Provider v3 Introduces Useful New Features, Easy Upgrade Path
On July 17, the Shibboleth Consortium released a major new update to its Shibboleth Service Provider (SP) software, version 3.0.
As of the writing of this blog, version 3.0.2 is the latest supported release of this software. The new version of Shibboleth SP brings changes to the internals of the software which are mostly not visible to deployers, but it also brings a host of new features which help to evolve the use of federation.
Among the changes, several features stand out in making it easier to use the Shibboleth SP to support scalable “web farm”-type deployments:
- Stateless clustering allows SPs to share information relevant to the state of a user’s access to SP-protected services (attributes, username, etc.) without the need for a highly available backing store, like a database cluster. This session data is stored in an encrypted cookie in the user’s browser, and may be accessed by SP instances that have access to a shared private key.
- The ability to assign new entityIDs for each vhost configured on an HTTP server, automatically.
- The ability to dynamically configure application overrides using fragments of config files stored in a directory.
- New IIS 7+-native module that allows more straightforward and secure use of server variables (rather than headers) for passing information from Shibboleth to the application.
- Support for mapping user information into IIS’ built-in privilege management system.
Other features which are important, but may be overlooked, include:
- Default change to use of SHA-256 digest algorithm rather than SHA-1 for new installs.
- Logging to the system’s standard log (syslog for *nix, Windows service log) reduces problems with permissions and permits more centralized/standardized use of logging functions when working with the SP.
- Easy upgrade path: Use your existing shibboleth2.xml config file, look for warnings in logs about deprecated features, eliminate their use, and then easily adopt the new config format and features by switching the namespace in your shibboleth2.xml config file.
- The ability to administratively end a session.
InCommon strongly urges deployers of legacy Shibboleth SP versions to upgrade to SPv3 at their earliest convenience, to ensure continued support for and security of their deployments. Some of the new features may make Shibboleth SP a more attractive option for additional deployment patterns, and we urge systems administrators, devops architects, application owners and others to consider use of the newest Shibboleth SP in their environments.