• Update all links to the Shibboleth Wiki that moved into the cloud.
  • Add 'Update the messages.properties configuration' to the 'Upgrading from version 3.3.x to 3.4.x' section.
  • Update idp-install.sh to generate a key pair with a self-signed certificate valid for 10 instead of 3 years. Default key size is since IdPv3.4 already 3072 bits.
  • Add template for uidNumber attribute to the attribute-resolver-other.xml file and align desciption for uid.
  • Increased minor version number from 3.4.7 to 3.4.8
  • Fixed broken lnk to Topmcat Wiki
  • Add missing template for the ou attribute to the attribute-resolver-other.xml file.
  • Increased minor version number from 3.4.6 to 3.4.7
  • Add upgrade hint for deprecated requestContext.principalName method.
  • Fixed the attribute-filter download URL (inserted _v4) in General IdP settings so that the IdPv3.4 loads the attribute-filter in its new, more compact, IdPv4 forward compatible schema.
  • The IdPv3.4 upgrade instructions now include the step to modify the attribute-filter download URL.
  • Added the config for HTML Local Session Storage in conf/idp.properties to ensure that SSO also works with new browser versions that default to SameSite=Lax.
  • Updated the references to the latest version to IdP 3.4.6.
  • Updated the IdP status URL configuration in conf/access-control.xml to limit the access to the status page only.
  • Updated metadata-provider-* files in chapter Federation metadata configuration:
    Removes the deprecated metadata:ChainingFilter, it's no longer necessary.
    Fetch the updated files and replace the currently active ones after reviewing the changes.
  • Updated attribute-resolver-* files in chapter Attribute resolution configuration:
    Replaces all deprecated tags or elements, namely sourceAttributeID and Dependency. Adds encodeType="false" to the AttributeEncoders to suppress unnecessary type info in the SAML assertion. The new files are IdPv4 compatibile.
    Fetch the updated files and carefully compare them with your currently active files. You need to modify the new files for your user directory environment!
  • Updated script for credentials/rotate-sealer.sh. It no longer uses a Java class but the seckeygen.sh script.
  • Modifies the default attribute-resolver-connectors.xml file to configure a <ConnectionPool> for the <DataConnector>.
    See also these upgade instructions: Configure an Attribute Resolver Connection Pool
  • Updates the User Authentication section to make use of the explicit certificate trust configuration instead of the JVM trust store.
2018-07-12 Adds warning for RHEL/CentOS to chapter '5.1 PostgreSQL Installation' that recent postgresql-jdbc RPM from the disto requires Java 8 instead of Java 7.
Therefore, any future rebuild of idp.war will fail unless you replace the postgresql-jdbc driver by one for Java 7.
2018-06-01 Guide updated to make use of the newly published metadata file with only SP entities instead of the slightly bigger legacy file with SP as well as IdP entities.
  • Replace the metadata provider file in /opt/shibboleth-idp/conf with the updated version using one of these two statements, depending on the federation your IdP is registered with:
    • sudo curl -O https://www.switch.ch/aai/guides/idp/installation/metadata-provider-switchaai.xml
    • sudo curl -O https://www.switch.ch/aai/guides/idp/installation/metadata-provider-aaitest.xml
2018-05-16 Guide updated for IdPv3.3.3 (affects download links only)
2018-04-18 Bug fixed in attribute-resolver-interfederation-core.xml for schac:homeOrganizationType values higherEducationalInstitution and educationalInstitution
2017-10-05 Adds step 4) to replace pc: prefix occurances in the XML Namespace Cleanup in Attribute Resolution Configuration section.
2017-10-04 Guide updated for IdPv3.3.2
2017-06-08 New link to LDIF files in the Attribute resolution configuration section.
2017-04-21 New Note in Upgrading from version 3.2.x to 3.3.x that update overwrites system/messages
2017-03-20 Guide updated for IdPv3.3.1
  • The guide now covers IdPv3.3.1
  • Fixes the path for the message translations for IdPv3.3.x. These messages_XX.properties files need to go into /opt/shibboleth-idp/messages/ directory. In the earlier proposed system/messages directory they get overwritten the next time you run the installer!
2017-02-23 Guide updated for IdPv3.3
2016-06-02 Explicit choice of language in the login form
2016-12-20 HTML encoding fixed to correctly display code snippets in pop-up windows
  • Code snippets displayed in pop-up windows were not always correct since pop-up windows do not evaluate JavaScript.
2016-06-02 Explicit choice of language in the login form
  • A new reference in 'Login form customization' points to the details in the Shibboleth Wiki on how to switch locale.
2016-06-02 Messages Translation upgraded to an own chapter
  • Messages Translation was only a section in 'Login form customization', now it is an own chapter.
2016-05-24 Remove two IP addresses from shibboleth.IPRangeAccessControl
  • The two IP addresses of the former Resource Registry were removed from the shibboleth.IPRangeAccessControl bean.
2016-05-18 Fixed two broken links
  • Two links pointing to the Shibboleth Wiki were fixed since the pages they were pointing to moved.
2016-03-04 Translation messages
  • An example was added to show how to adapt your translation messages.
2016-03-04 A note about Java8 and Tomcat8
  • We added links to the shibwiki in case you need to install Tomcat 8 and Java 8.
2016-02-24 Available RAM size dynamically suggests Tomcat Memory configuration
  • Available RAM size is a new setup input field. Its value affects the suggested JAVA_OPTS setting for Tomcat.
2016-02-23 New section on Final Tests
  • Test whether your IdP properly responds to SAML Attribute Queries.
2016-02-11 Apache Configuration enhanced
  • In the Apache Configuration, the X-Frame-Options DENY was added to prevent iframe embedding and HTTP Strict Transport Security (HSTS) was enabled.
2015-12-22 Update for 3.2.1 release
  • The updated template for consent-intercept-config.xml makes use of the newly introduced AttributeDisplayOrder list.
2015-12-17 Reorganise 3.1 to 3.2 upgrade procedure
  • Rearranged upgrade instructions so that those that require the IdP to be stopped (database migration) are grouped at the end.
  • Added explicit mention of when Tomcat should be stopped.
  • Fixed database migration SQL commands to preserve constraints on the storagerecords table.
2015-12-07 PostgreSQL
  • In addition to the daily PostgreSQL backup, we added a second cron entry which creates an hourly backup additionally.
2015-11-27 We improved the guide for version 3.2 with the following changes:
  • Change of the PostgreSQL Database structure and provide a script to migration to the new DB structure
  • In idp.properties, the auto-generated metadata under the URL of the IdP's entity ID is disabled
  • AttributeFilter: change to the new syntax in idp.properties
  • attribute-resolver-other.xml was added to the standard configuration. All attributes but eduPersonEntitlement with the common-lib-terms value are commented out by default.
  • persistendID: we no longer need to detour the additional attribute definition for swissEduPersonUniqueID.withoutAttributeEncoder
  • saml-name-id.properties: we replaced idp.persistentId.store with the new property idp.persistentId.dataSource
  • attribute-resolver-connectors.xml: the bug with the random-salt is fixed, so the work-around can be removed
  • New consent-intercept-config.xml file with a defined ordering for the attribute release consent dialog as well as an an extended blacklist that covers also the usually cryptic unique identifiers.
2015-11-10 PostgreSQL
  • To avoid problems with data loss when running vacuumlo: Change of the database structure, large objects are no longer needed