Page tree

The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 90 Next »


Not yet released. Scheduled release date : Dec 19 2015

This is a patch update containing bug fixes.

IDP-848: Incorrect relying party information was displayed during login when using JSPs.

IDP-805: Example eduPersonScopedAffiliation attribute definition was not actually scoped.

IDP-815: IdP fails to start when idp.home contains backslashes on Windows.

IDP-871: SSO fails when the attribute resolver configuration is invalid and consent is enabled.

IDP-873: Improved configuration of the order in which attributes are displayed during consent.

IDP-879: Logout does not propagate correctly when using Internet Explorer.

For a complete list of issues addressed in this release, see


November 18, 2015

This is a minor upgrade containing new features and bug fixes. New material in the documentation can be identified with a 3.2 superscript.

For a complete list of issues addressed and features added in this release, see

Important Notes for Upgraders

A major bug in the implementation of storage-backed SAML 2 persistent identifiers was addressed by significantly changing the implementation. The configuration is backward-compatible, but there are database definition considerations that need to be addressed as part of the upgrade to correct this issue. The new documentation includes information you should review if you're using this feature.

A new environment variable, IDP_BASE_URL, can be set to globally override the URL used to call the administrative flows from the command line tools. The default value has also been slightly adjusted to include the servlet context path, so it now defaults to "http://localhost/idp". If you have scripts that set the -u parameter to control this URL now, they may need to be adjusted (or may well no longer be needed). Note that using anything but localhost will generally require modifying conf/access-control.xml.

The new logout support is dependent on a copy of JQuery, now included in the war tree under a /js directory. An explicit copy is included to ensure clients are dependent only on web content included with the software (because browsers erroneously and dangerously do not verify the authenticity of the scripts they run), but this may necessitate occasional out of band notices that a new version should be inserted if security issues arise.

New Objects

The following new user-space configuration files have been added in this release. They will be installed in their default form when you upgrade.

The following new properties have been added in this release (defaults in parentheses):

The following new beans have been added in this release:

New Features

IDP-594: A new implementation of client-side data storage has been swapped in that is compatible with the prevous use of cookies, and allows a deployer to optionally enable new support for HTML local storage, which greatly expands the size of data that can be stored. In combination with that feature, it's possible to enable the session tracking properties related to logout while still avoiding the use of server-side state.

IDP-224: Our first true single logout implementation is now available, covering front-channel mixed SAML and CAS logout. Documentation on this feature will be developed subsequent to this release.

IDP-111: A new login flow supporting SPNEGO authentication with Kerberos has been added, thanks to a contribution by SWITCH.

IDP-114: The Kerberos login flow has been enhanced to support KDC verification using a service principal and keytab. New beans must be uncommented and configured to use this feature (see KerberosAuthnConfiguration).

IDP-624: The order in which attributes are displayed to the user during attribute release consent is now configurable.

A new velocity context "attributeDisplayNameFunction" is available to the attribute release consent screens. This is the language browser sensitive content of the <DisplayDescription> declared for the attribute in attribute-resolver.xml. See VelocityVariables for more details.

IDP-661: Two new MDC keys are added in support for logging.  See the documentation.

IDP-808: The Filtering language has been simplified, allowing all parts to be specified in the same namespace thus obviating the need for afp: basic: and saml: (although the old syntax is still supported). In some cases the name for the Matcher of PolicyRule has been simplified. The complete mapping is given in AttributeFilterLegacyNameSpaceMapping.

IDP-774: All Velocity views gain a new context "custom" which is whatever is defined as the bean "shibboleth.CustomViewContext". Similarly, scripting subsystems gain a new injectable bean named "customObject" which is made available to scripts as the variable "custom". The custom syntax for the Scripted Attribute Definition, Scripted Data Connector and Scripted Matcher and Policy Rule are all extended to allow a new attribute "customObjectRef".

IDP-715: Plugins can add configuration by placing a Spring configuration file at /META-INF/net.shibboleth.idp/config.xml on the classpath for their jar.  All copies of this file which are discovered will be loaded into the root context.

IDP-821: The Password login flow has been enhanced with support for sending the user into other login flows instead of returning its own result, allowing the offer of stronger methods at the same time the password prompt is available. See the documentation on this "Extended Flow" feature.

IDP-840: F-TICKS logging is now explicitly supported.

IDP-852: The default logging configuration has been redesigned to make use of property variables. These changes will not be installed during upgrades but may be reviewed afterwards in case they're of interest.

The LDAP and RDBMS data connectors have been enhanced to avoid repeated attempts to connect to failed data sources for a configurable period of time to improve failover performance. The new noRetryDelay setting enables this feature.

Miscellaneous Fixes

IDP-666: To enable internationalization of messages displayed to users, the charset used when parsing message source property files has been changed to UTF-8.

IDP-685: The onlyIfRequired attribute as supplied to the MappedAttributeInMetadata and AttributeInMetadata filters was wrongly defaulting to false. This has been changed and it now defaults to true.

IDP-729: The restriction on sourcing persistent NameID values from a released attribute has been fixed and now defaults to allowing unreleased attribute sources since the value is not exposed directly.

IDP-780: A regression was corrected so that SP requests for the "unspecified" AuthnContext class are ignored, consistent with V2 behavior. A bean was added to allow the set of ignored values to be configured for advanced cases or to override this change.

IDP-782: In attribute filter construction, AND and OR Matchers and PolicyRules can have a single child Matcher (or Rule)

IDP-785: A regression was corrected so that attributes with more than one compatible AttributeEncoder attached appear once for each encoder in the resulting SAML AttributeStatement.

JSE-15: The preferred way of specifying the backing file to the FileBackedHTTPResource is via the backingFile constructor parameter.  The resource parameter still works but has been deprecated. See the documentation.


July 1, 2015

This is an interim bug fix release. For a complete list of issues addressed, see

Notable bugs which have been addressed are:

IDP-703: In previous releases, Failover data connectors did not work.  This is fixed.

IDP-666: Allow non Iso-Latin-1 characters in message files

IDP-682: The ProfileRequestContext is now available to scripts as profileContext (Windows Only)

Mar 31, 2015

This is a service release of the 3.1.1 Windows Installer that fixes a bug (IDP-668) that was preventing proper upgrades of the installer. It is not a change to any of the supplied software, and is only relevant for new upgrades, or for anybody having problems with the upgrade process.

As part of this fix, it's important to note that any changes made directly to the webapp folder's contents after installation do not survive across upgrades. Any such changes must be made to the edit-webapp tree designed for that purpose.


Mar 26, 2015

For a complete list of issues addressed in this release, see

This is a bug fix release.

This release contains a fix for the issue described in the security advisory issued on March 26, 2015. Apart from upgrading, no other actions are required to address the issue.

A bug (IDP-646) was fixed where the maxValidityInterval of the RequiredValidUntil metadata filter was incorrectly interpreted in milliseconds rather than seconds if a duration was specified as a number rather than a duration string.

A bug (IDP-642) was fixed that prevented use of the schema validation metadata filter.

A bug (IDP-635) was fixed that ignored languages preferred by the browser when displaying attributes during consent to attribute release.

A bug (IDP-651) was fixed that prevented the idp.session.consistentAddress property from being turned off.

A bug (IDP-654) was fixed that prevented the use of configuration properties to set return attributes in the LDAP data connector configuration.

Several bugs in CAS protocol support were fixed: IDP-614 (integration), IDP-658 (error handling), IDP-659 (concurrency).

An improvement to the messages/ file was made in the way that runtime exception messages are rendered, so updating to the most recent version of this file is suggested, or alternatively just copying over the updated runtime-error.message property.


Mar 10, 2015

For a complete list of issues addressed in this release, see

Important Notes for Upgraders

This release corrects a bug in the handling of null or empty attribute values in the attribute resolver, and the fix was done in a way that is incompatible with some scenarios that V2 supported. This change is described in a few places in the documentation, including here. If you have data connectors, attribute defintions, and particularly scripts that rely on the support in V2 for null values embedded in results, you may experience issues and will need to make adjustments to your scripts to account for the new EmptyAttributeValue class that distinguishes these values from the rest.

New Objects

The following new properties have been added in this release (defaults in parentheses):

The following new beans have been added in this release:

Miscellaneous Fixes

This is a bug fix release addressing IDP-573 which corrected a serious bug in the attribute resolver required the addition of new public APIs, necessitating a minor version change, but this is not a significant feature upgrade. A few new properties and Spring beans have been added, and these are denoted in the documentation with the superscript 3.1 to distinguish them. Anything so denoted will be ignored or fail if used with an earlier version. (This convention will be used going forward to denote anything introduced with new releases.)

New properties were added for configuring alternative storage services for the replay cache and artifact store for clustered deployments.

A new "map" bean was added to conf/authn/general-authn.xml to address IDP-602 and make it possible to apply more control over which SAML AuthenticationMethod/AuthnContextClassRef is returned from a login flow that supports more than one. A map of Principal objects to numeric weights is used to favor some over others. The default configuration now applies a weight of "1" to the "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" context class principal so that it is used in place of "urn:oasis:names:tc:SAML:2.0:ac:classes:Password" when both are potentially valid. You can add this bean from the delivered file into your configuration to incorporate this improvement.

Per IDP-580, a syntax introduced in V3.0 to declare <security:TrustEngine> elements inside <metadata:MetadataProvider> elements has been deprecated in favor of declaring the trust engine element directly within a metadata:SignatureValidation MetadataFilter, which is the only current filter plugin that supports such an object. The deprecated syntax will likely be removed promptly due to its limited usefulness and very recent introduction.

A bug (IDP-585) was fixed that prevented the use of caching in the attribute resolver. In conjunction with this fix, the deprecated cacheResults LDAP/RDBMS data connector attribute is no longer honored (and a warning emitted). The <dc:ResultCache> and <dc:ResultCacheBean> elements are now the only supported mechanism for configuring caching.

Several bugs (IDP-588) were fixed to support using server-side storage such as MySQL or other databases for storage of consent decisions.

Per IDP-560, the default/example view templates include a few improvements, so you may wish to review those changes if you have a previous install, as the original files will not be overwritten. (Windows Only)

Feb 25, 2015

This is a service release of the 3.0.0 Windows Installer that updates Jetty to 9.2.9.v20150224 to address a Jetty security issue. If you did not install Jetty via the Shibboleth installer, then this update is not required (but of course you may still be affected by the issue if you have an affected Jetty version in use).

As noted on the WindowsInstallation page, service releases (represented by the fourth version number) do not indicate an actual update to the Shibboleth software, only to third party components we support.


Dec 22, 2014

This is the first release of the third-generation Identity Provider software. The key documentation links are located on the IDP30 space Home page, such as SystemRequirements, Installation, and UpgradingFromV2 material.

This release should interoperate with all previous releases of Shibboleth and other software that supports the same standards. As a major upgrade, the list of issues fixed and features added is numerous and you should refer to the documentation itself for information on what's changed or new.

Changes in behavior from previous releases:

  • A change was made to the process of selecting the format of NameIdentifier included in assertions. A <NameIDFormat> element in an SP's metadata containing "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" is no longer evaluated when selecting the format to use. Selecting that format requires supplying a nameIDFormatPrecedence property in the RelyingPartyConfiguration (both the legacy and current formats allow this).
  • No labels