Shibboleth SP 2.4 has been released recently (December 2010) and the syntax for Session Initiators has changed substantially. This page documents the key differences between Shibboleth SP 2.3 and 2.4 and the updates process.
The bottom line is that a
yum update shibboleth will preserve all of the Shibboleth configuration files (and store the new ones with the .rpmnew suffix) - and so will leave you with a running system. The only exception is it's overwriting
/etc/httpd/conf.d/shib.conf - the original file will be renamed with the
.rpmsave suffix and the configuration will not be in effect until reapplied.
Updating to Shib SP 2.4
/etc/httpd/conf.d/shib.confgets replaced with a new version - copy over any local modifications
attribute-policy.xmlgets stored as .rpmnew - preserving original file.
- Merge local changes with updates into attribute-policy.xml (only minor changes between .dist versions)
attribute-map.xmlgets stored as .rpmnew - preserving original file
- Merge local changes with updates into attribute-map.xml (only minor changes between .dist versions - reordering attributes, adding a few new ones)
- The main Shibboleth configuration file:
shibboleth2.xml: saved as .rpmnew, original file preserved and still works.
- BUT, significant changes in between the versions - start with a clean file (shibboleth.xml.dist) and re-apply any local changes (following the Installing Shibboleth SP on RedHat based Linux manual)
Details of changes to shibboleth2.xml in ShibSP 2.4:
- Only one instance of sp.example.org (local SP entityId)
- No more Site/Host elements
- No "Chaining" MetadataProvider - just flat hierarchy
- The handlerSSL attribute is still the same (and still defaulting to "false")
- Session Initiators: edit <SSO> element
- remove reference to default idp.example.org - delete the entityID attribute
- configure DS URL in discoveryURL:
- To configure an IdP specific login URL, go to the /Login session initiator with an entityID query parameter:
- Note that the session initiator to use with the federation has moved from /Shibboleth.sso/DS to /Shibboleth.sso/Login