Versions Compared

Old Version 10

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

One issue to highlight is that if you haven't ever modified the attribute-map.xml file, an RPM upgrade will replace it with the new default version, and an old mapping for an incorrect version of eduPersonTargetedID was removed in this release, so this could impact a system still making use of that broken attribute form. Just edit the file with a comment before upgrading to prevent this.

...

  • The simplest thing in most cases is just to update your shibboleth2.xml and security-policy.xml files in place by changing the namespace declaration at the top of the file from urn:mace:shibboleth:2.0:native:sp:config to urn:mace:shibboleth:3.0:native:sp:config (there are usually two mentions of the namespace in the root element). Note the difference there, the 2.0→ 0→ 3.0 in the string.

    Be sure to review all "MetadataProvider" elements in the shibboleth2.xml file for "file" and "uri" attributes.  These attribute names are no longer valid in the 3.0 namespace and must be replaced with the "path" and "url" attribute names.  Examples below.

    Old MetadataProvider

    Code Block
    title
    languagexmlOld MetadataProvider
    collapsetrue
    <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml" backingFilePath="federation-metadata.xml" reloadInterval="7200">
    <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
    <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
</MetadataProvider>


<MetadataProvider type="XML" file="idp-metadata.xml"/>

    New MetadataProvider

    Code Block
    languagexml
    titleNew MetadataProvider
    collapsetrue
    <MetadataProvider type="XML" url="http://federation.org/federation-metadata.xml" backingFilePath="federation-metadata.xml" reloadInterval="7200">
    <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
    <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
</MetadataProvider>


<MetadataProvider type="XML" path="idp-metadata.xml"/>

  • Alternatively you can start with the default shibboleth2.xml.dist file and transfer your settings to a new copy of shibboleth2.xml, but that has a tendency to break things because it's hard to reproduce complex settings accurately.

The V3 default filename remains "shibboleth2.xml" to facilitate the upgrade process. Any settings that are flagged with warnings may be removed from the updated XML schema and prevent the system from loading the file if the namespace is updated, so they should be corrected as part of the process and once the system is operating with the new file you're done.

...