...
The Shibboleth developers are, from time to time, asked if we will publish our build artifacts to Maven Central. This document page describes our position on the use of artifacts from, and on publishing artifacts to, Maven Central.
...
Maven Central does not perform adequate vetting of the people uploading artifacts or the artifacts they upload. Thus, the integrity and origin of the artifacts therein is not known or verifiable. As an example, the any OpenSAML artifacts currently uploaded to Maven Central are not provided by the Shibboleth project nor are they always even artifacts that we've released (i.e., the jars out we know of there have been changed in some ways, though we have some general sense of what those changes were).
Taken together, the problems with this setup should be obvious.
Use of Maven Central
Because of the inability to verify the integrity and origin of artifacts, Shibboleth product builds no longer use Maven Central. Instead, all artifacts are pulled from the Shibboleth project repository. Artifacts added to the project repository have been downloaded directly from the author, verified in the manner provided by the author and signed by the Shibboleth developers if not already signed originally.
Publishing to Maven Central
...