Thank You for Attending Overt Software’s Fireside Chat on Shibboleth v5!
First and foremost, we want to extend our heartfelt thanks to everyone who joined our fireside chat on Shibboleth v5. We are thrilled that so many of you attended and engaged with us. Your questions and feedback truly help drive innovation, and we’re delighted to assist you with understanding the new features and possibilities offered by Shibboleth v5.
Missed the fireside chat or want to revisit the discussion? Watch the full webinar by clicking the play button below.
In today’s blog, we will recap the key highlights from the chat and dive into what makes this new version of Shibboleth so powerful for organisations looking to strengthen their federated access management systems.
What’s New in Shibboleth v5?
In the fireside chat, Harry Williams, our Shibboleth Support Engineer, took us through some of the most exciting features in Shibboleth v5. These updates are designed to ensure your access management system is not only secure but also streamlined for both IT administrators and end users. Let us take a closer look at the top features:
1. Expanded Support for Content Security Policy (CSP)
One of the standout security enhancements in Shibboleth v5 is the expanded support for Content Security Policy (CSP). CSP is a security standard that adds a layer of protection against various forms of attacks by controlling which resources (such as JavaScript, CSS, and images) can be loaded onto a webpage. Essentially, it acts as a whitelist, allowing only trusted sources to run.
This is particularly crucial in defending against attacks like:
- Cross-Site Scripting (XSS): By allowing only trusted scripts to execute, CSP prevents the injection of malicious scripts that could compromise user data or the behaviour of the site.
- Clickjacking: CSP prevents attackers from framing or embedding content in ways that trick users into performing unintended actions.
- Data Injection Attacks: By validating scripts and resources, CSP helps ensure that harmful data cannot infiltrate your system.
- Malware Distribution: Limiting the resources that can load on a page reduces the risk of inadvertently spreading malware.
- Site Defacement: CSP prevents unauthorised changes to a website’s appearance by controlling which elements can be displayed, protecting the organisation's reputation and trust.
- Content Injection: CSP blocks unwanted or misleading content, ensuring only legitimate information is presented.
With these expanded controls, Shibboleth v5 offers significantly enhanced protection against these common threats, ensuring your systems remain secure.
2. Sealed Cookies for Secure Authentication
Another feature in Shibboleth v5 that improves both security and user experience is the introduction of sealed cookies in certain login flows. This feature allows for the secure storage of usernames, providing a convenient yet secure method for pre-populating login fields. Currently available in the password flow, this feature might be extended to other flows with additional configuration.
How does this work? Unlike traditional "remember me" features, which store sensitive information and can be intercepted, Shibboleth’s sealed cookies are encrypted and signed by the server. This ensures that the information stored, such as usernames, cannot be tampered with or accessed without the correct server keys.
This feature speeds up the login process while maintaining a high level of security, striking the perfect balance between user convenience and data protection.
3. Simplified Update Checks with idp.updatecheck.enable
One of the more administrative-focused features is the new idp.updatecheck.enable property. This function allows administrators to easily check if updates for Shibboleth are available directly from the Identity Provider’s (IdP) startup logs. This saves time and reduces the need to search for updates online, streamlining the process of keeping your system up to date.
Only authorised administrators can access this information, ensuring that update details are securely managed. This feature is a great addition for those responsible for maintaining Shibboleth servers, as it simplifies version management and enhances overall system security.
4. Integration with OpenID Connect (OIDC)
As part of its evolution, Shibboleth v5 has made significant strides in its integration with OpenID Connect (OIDC). OIDC is a protocol built on OAuth2 that provides secure token-based authentication, which is particularly useful for web-based applications and mobile apps that do not support SAML.
Shibboleth v5 can now act as both an OpenID Provider (OP) and an OIDC Relying Party (RP). As an OP, Shibboleth can authenticate users and issue tokens that OIDC-based applications can use for login. As an RP, Shibboleth can consume tokens from external OIDC providers, such as Google or Microsoft, making it easier to integrate with a wider range of platforms.
5. WebAuthn and Passwordless Authentication
Another exciting feature is the inclusion of WebAuthn, which brings passwordless authentication into Shibboleth v5. WebAuthn is part of the FIDO2 framework, a modern standard that allows users to log in using public-key cryptography instead of traditional credentials.
This feature supports both device-bound passkeys (e.g., hardware security keys) and multi-device synced passkeys (e.g., password managers). This ensures stronger security, prevents phishing, and offers a seamless user experience by eliminating the need to remember or manage passwords.
WebAuthn offers both convenience and robust security, positioning Shibboleth v5 as a forward-thinking solution in the realm of identity management.
Shibboleth’s Role-Based Access Control (RBAC)
While not a new feature in version 5, Role-Based Access Control (RBAC) remains a powerful tool for organisations using Shibboleth. RBAC allows organisations to manage access to resources based on attributes, such as group membership, passed from the IdP to the Service Provider (SP). This ensures that only users with the correct permissions can access certain resources.
Upgrading to Shibboleth v5: Key Considerations
Many attendees asked about the process of upgrading from Shibboleth v4 to v5. Here’s a summary of the key points Harry discussed:
- Compatibility: Shibboleth v5 retains compatibility with most existing configurations and integrations. However, extensions or plugins used with Shibboleth v4 may require adjustments to work with the new version.
- Security Benefits: With Shibboleth v4 reaching end of life, upgrading to version 5 is essential for maintaining system security, as no further security patches or bug fixes will be available for v4.
- Upgrade Process: Before upgrading, ensure that all configuration files are updated to match the new version’s requirements. It’s also advisable to update supporting software like Jetty and Java before making the upgrade.
For larger organisations, the upgrade process can be automated using tools like Ansible playbooks, which help reduce downtime by automating the installation of necessary software and configurations.
How Shibboleth v5 Supports MFA
Shibboleth v5 continues to support Multi-Factor Authentication (MFA), which is essential for organisations looking to enhance security. Shibboleth can be integrated with various MFA solutions, including Duo, Google Authenticator, and WebAuthn, providing flexibility in how MFA is implemented.
Administrators can configure detailed logic for when MFA is required, allowing organisations to apply MFA only to specific services or user roles.
What’s Next for Overt Software?
As we look to the future, Overt Software is committed to continuing our development of secure, innovative solutions for federated access management. We have several exciting projects in the works, and we look forward to sharing more updates in the near future.
Explore Overt’s Shibboleth Dashboard
We are also excited to announce the launch of our new Shibboleth Dashboard, a powerful tool that simplifies the management of Shibboleth systems. The dashboard offers real-time insights into your system’s health, authentication reports, and much more. Be one of the first to explore these features by clicking the link below.
We hope to see you at our next digital event, where we will continue to explore cutting-edge solutions and provide answers to your most pressing questions. Thank you again for joining our fireside chat on Shibboleth v5, and we look forward to working with you to secure your organisation’s future.