End of Life Warning
As of July 31, 2016, all security maintenance for the Shibboleth Identity Provider V2 release branch will cease. A complete schedule of the dates can be found here. All deployments should upgrade to V3 or evaluate other alternatives. This does not apply to the Service Provider software, which remains supported indefinitely. It does apply to the 1.x Centralized Discovery Service product.
Shibboleth allows users to securely send trusted information about themselves to remote resources. This information may then be used for authentication, authorization, content personalization, and enabling single sign-on across a broad range of services from many different providers.
If you're looking for the latest Identity Provider installation and configuration documentation, that's in the IDP30 wiki space, not here. Where things are compatible, we may point back to this material for a while while we get the new documentation created, but you should always start there.
The of the Identity Provider is 3.2.1, which has a new documentation space. The is V2.4.5. The official announcement on the staged EOL process for the V2 product can be found here, and security maintenance ends on July 31, 2016.
The of the Service Provider is V2.6.0. There are no at this time.
The minimum safe release versions that don't contain important or critical security issues are V3.1.1 and V2.4.4 of the IdP and V2.6.0 of the SP (in the latter case, you must ensure various libraries are also sufficiently new). If you are running versions prior to these, you should upgrade immediately or take steps to protect your system by reviewing the advisories. In all cases, there may be important security issues affecting any versions other than the latest ones and you should always review the advisories to ensure you understand whether your particular system might be affected.
Shibboleth V1.3.x and earlier releases of the Identity Provider and Service Provider are unsupported. Shibboleth V2.x is fully interoperable with V1.3.x releases, and is partially interoperable with older versions.
All software, including archived releases, is available from http://shibboleth.net/downloads/ and each release is accompanied by a detached PGP signature using one of the keys listed in the project's KEYS file.
All deployers should make sure to subscribe to to the
announce mailing list to be sure of seeing important security announcements.