Upgrading from V2
Documentation on the Shibboleth wiki about upgrading is at https://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2
Attribute mapping does not include eduPersonTargetedID
One issue to highlight is that if you have never modified the attribute-map.xml file
, an RPM upgrade will replace it with the new default version, and an old mapping for an incorrect version of eduPersonTargetedID was removed in this release. There are some IdPs in the UK federation which still make use of that broken attribute form. Just edit the file with a comment before upgrading to prevent this, or add in the following element after upgrade
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id"> <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> </Attribute>
Logging format
To enable the new logging format, you need to add
<OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
to the shibboleth2.xml
file. See https://wiki.shibboleth.net/confluence/display/SP3/Logging
Metadata Provider
The V2-style of MetadataProvider needs changing, set uri
to url
for the location of the UK federation metadata aggregate
<MetadataProvider type="XML" url="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml" backingFilePath="/var/cache/shibboleth/ukfederation-metadata.xml" reloadInterval="14400"> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/> <MetadataFilter type="Signature" certificate="ukfederation.pem" verifyBackup="false"/> </MetadataProvider>
Exporting assertions
The configuration of how the SP exports raw assertions has changed. If the Shibboleth SP proxies to your application and the application needs to access the raw assertions, then you must update your configuration to use the new options. See https://wiki.shibboleth.net/confluence/display/SP3/AssertionExport and https://wiki.shibboleth.net/confluence/display/SP3/ContentSettings for the new documentation.