Shibboleth SP 2.4 has been released recently (December 2010) and the syntax for Session Initiators has changed substantially. This page documents the key differences between Shibboleth SP 2.3 and 2.4 and the updates process.

The bottom line is that a yum update shibboleth will preserve all of the Shibboleth configuration files (and store the new ones with the .rpmnew suffix) - and so will leave you with a running system. The only exception is it's overwriting /etc/httpd/conf.d/shib.conf - the original file will be renamed with the .rpmsave suffix and the configuration will not be in effect until reapplied.

Updating to Shib SP 2.4

  • /etc/httpd/conf.d/shib.conf gets replaced with a new version - copy over any local modifications
  • New attribute-policy.xml gets stored as .rpmnew - preserving original file.
    • Merge local changes with updates into attribute-policy.xml (only minor changes between .dist versions)
  • New attribute-map.xml gets stored as .rpmnew - preserving original file
    • Merge local changes with updates into attribute-map.xml (only minor changes between .dist versions - reordering attributes, adding a few new ones)
  • The main Shibboleth configuration file: shibboleth2.xml: saved as .rpmnew, original file preserved and still works.

Details of changes to shibboleth2.xml in ShibSP 2.4:

  • Only one instance of (local SP entityId)
    • No more Site/Host elements
  • No "Chaining" MetadataProvider - just flat hierarchy
  • The handlerSSL attribute is still the same (and still defaulting to "false")
  • Session Initiators: edit <SSO> element
    • remove reference to default - delete the entityID attribute
    • configure DS URL in discoveryURL:
  • To configure an IdP specific login URL, go to the /Login session initiator with an entityID query parameter:
  • Note that the session initiator to use with the federation has moved from /Shibboleth.sso/DS to /Shibboleth.sso/Login
  • No labels