Why Upgrade to Shibboleth Identity Provider Version 4 in 2020?

Published on: September 2, 2020
Mike Grady, Software Architect

Secure and seamless learner access to online learning tools and content is more important than ever, especially if cut backs to your support options were mandated because of budget constraints due to Covid-19. An updated Shibboleth Identity Provider is essential.

There is a new major version of the Shibboleth Identity Provider (Shib IdP) 4.x series that has been available since March 2020. There are several reasons why we highly recommend planning an upgrade to v4 before the end of 2020.

Security assurance

Single sign-on (SSO) service is a critical aspect of your institution’s IAM security. The version 3.x series of the IdP will reach “end of life” (EOL) at the end of 2020, meaning that the core Shibboleth Consortium team will no longer provide any security patches or releases for IdP 3.x come January 1, 2021. Additionally, the underlying Spring Framework 4.x on which IdP 3.x is built is also EOL at the end of 2020. You really don’t want a key component of your institution’s IAM infrastructure to depend on software that is no longer maintained.

Expanded capabilities and flexibility for supporting your evolving SSO requirements

Shib IdP v4 starts with some significant new features, including the ability to be “layered over” another SAML-capable SSO service such as Azure AD, Okta, etc. That new “delegate authentication to another SAML IdP” feature can also be leveraged to have your Shib IdP become an “IdP Proxy,” potentially delegating authentication to multiple SAML IdP services. Shib IdP v4 also includes a more flexible password authentication handler, providing easier ways to accommodate specific needs around using passwords for authentication. As the IdP 4.x version evolves, it will continue to provide new options and more flexibility.

Simplification and clarity

There are new configuration options that make it even easier to get the IdP to behave exactly as needed with a given SP/relying party, and new ways to segment the configuration into more easily understood “chunks.”  The biggest change involves the attribute resolver configuration, for which there previously had been one file that handled both mappings from the attribute sources into attributes ready to be released, and encoders--how the attribute is named and other information for each protocol when part of a response, or displayed for consent, etc.

You can still use the single file approach, but IdP v4 also supports a new approach where that one file becomes two or more different files.  The new resolver still handles the mapping from the attribute sources into the set of IdP attributes.  But the encoding rules that manage exactly how that attribute will be labeled, named, and identified when it is sent to a particular service or displayed are now contained in one or more attribute registry files.  You might find this new model easier to understand and manage, particularly as you consider using the IdP for additional authentication protocols (not just SAML, but also CAS and OpendiD Connect).

The Shib IdP v4 Installer has also been improved, making upgrading even easier and safer.

Upgrading is easy

Unicon is here to help, support, and execute the upgrade when the timing is right for your institution. Simply reach out to us and we’ll collaborate or take the reins to plan and get your upgrade completed.

And remember, if you are a Unicon Open Source Support (OSS) subscriber, we will continue to support your “Shibboleth pre v4” version until your institution decides that the time has come to upgrade.

Mike Grady photo

Mike Grady

Software Architect

Mike Grady has expertise in a broad range of IT, with deep knowledge specifically in higher education IT, identity management, and research cyberinfrastructure. Since joining Unicon in 2012, Mike has focused on Identity and Access Management (IAM). He assists clients with a broad range of IAM needs, including strategy and assessment, consulting, implementation, and support. He has been involved with InCommon and Internet2 for years, and is currently a member of the InCommon Technical Advisory Committee. Prior to joining Unicon, he worked in academic IT at the University of Illinois at Urbana-Champaign for 36 years in a variety of roles. In total, Mike has spent 44+ years working in IT.