What is new In Shibboleth IdP V3?
We will start by looking at the new features in Shibboleth IdP Version 3. This is the first major IdP release in 7 years and is the result of more than two years of active development. There are lots of new features that benefit users and administrators. It is important to note that it’s been written to be backwards compatible as much as possible so shouldn’t be as disruptive as the Shibboleth 1.3 to version 2 upgrade of the past.
Attribute Release Consent
The first feature that we will look at is the new Attribute release consent. This is the feature that will most likely impact your users the most. This feature allows users to have control over what attributes are released to each Service Provider / Resource. This level of transparency will allow you to meet privacy and compliancy requirements that you may have in place at your organisation.
The new attribute release consent feature in modelled on the old uApprove plugin which was developed for Shibboleth V2. Now that it is a native built-in feature to Shibboleth we are expecting to see its use greatly increased.
Here is a short video demonstrating the new feature in action:
We have a video below demonstrating the TOS feature:
Improved Authentication System
The authentication system has been revamped to include Native LDAP, however we still have JAAS and external authentication capabilities. Utilising the native LDAP plugin allows you to have a lot more control over the login flow. For example you can now show helpful informative messages such as informing the user that their password is about to expire or has already expired rather than a generic User / Password not recognised message. You can then be specific about what action the user needs to take to reset their password or who to contact to get the problem resolved.
SPNEGO Authentication otherwise known as Seamless SSO is now built into Shibboleth IdP Version 3 (from version 3.2). This allows you to use Kerberos to simplify the login process for users that have already logged into a domain connected machine. Essentially this reduces the amount of times a user needs to login and adds up to a great user experience and is highly recommended to use if you are using Active Directory as your authentication source.
Please see the following video that demonstrates how SPNEGO works:
ECP is now also included out of the box. ECP stands for Enhanced Client or Proxy. ECP essentially allows you to use SAML authentication on other clients that are not browsers. For example:
- Desktop Application
- Server side code running in a web application
- More or less anything that is not a browser
ECP is most notable for allowing you to connect your Outlook email for example to Office 365 and use your Shibboleth credentials to authenticate and use that program.
Client side storage
Velocity Templating Engine
One of the major drawbacks in Shibboleth v2, was the fact that if you wanted to make any changes to your login pages (for example to notify user about an authentication issue or resource issue), you would need to recompile the Shibboleth IdP and restart the service causing downtime. With the new Velocity Templating engine you are able to update pages on the fly without even needing to restart!
More Flexible Configuration
Shibboleth IdP v3 now employs properties files. This means that you can set your LDAP details for example in one file and call those properties in the other configuration files. This is very useful if you need to update the LDAP bind user for example. You just change the details in one place instead of several places. You also now have the option to split larger configuration files down into smaller individual files. This can be very helpful is you have a very large resolver or filter files.
Improved Update Process
The update process has been streamlined. When updating the Shibboleth IdP there is now longer any need to copy lib or web files over to the install directory as nothing will be overwritten. Its also much easier to update the underlying server application (Jetty) as the binaries can be separated from the IdP’s web app instance.
New Administrative Interface – Resolver Tests and Reloading of Services
There are several new administrative functions:
- Checking the IdP status
- Testing the attribute resolver with a particular user ID
- Triggering the reload of a particular metadata source
- Triggering the reload of a service within the IdP
Lots of new testing tools have been included with the latest release which can be accessed and ran from a URL remotely. For example this will allow you to test what attributes a user will release for a particular Service Provider from a URL. This is much faster and cleaner than the Shibboleth v2 tests which had to be ran from the command line on the server. You are also able to reload individual services for example reloading a metadata file for a particular service provider. This is very useful when you’re making a small change to reload that specific part rather than reloading the whole IdP.
Shibboleth IdP Version 3 can now act as a CAS server. This means that if you are currently running a separate CAS server you can now just use Shibboleth instead. This will allow you to consolidate the two systems into one.