It is an important design goal for IdP V4.0 that any configuration that loads without warning in V3.4 will successfully load and run in V4.0.
Most deprecated items issue a warning in the DEPRECATED logging category, and we're trying to find and fix any warnings that didn't make it into that category as we issue patches.
WARN [DEPRECATED:118] - xsi:type '{urn:mace:shibboleth:2.0:attribute:encoder}SAML2XMLObject', (class path resource [net/shibboleth/idp/attribute/resolver/spring/enc/saml2XmlObjectDefault.xml]): This will be removed in the next major version of this software; replacement is {urn:mace:shibboleth:2.0:resolver}SAML2XMLObject |
In V3 there was support for a lot of legacy V2 configuration, but much of it was deprecated, mostly when 3.0 was released, some during the releases since then. In V4 all the deprecated support will be removed.
This refers to configuration described in AttributeFilterConfiguration.
basic: (urn:mace:shibboleth:2.0:afp:mf:basic) namespace are deprecated. This section describes how to convert from using these namespaces.saml: (urn:mace:shibboleth:2.0:afp:mf:saml) namespace are deprecated. This section describes how to convert from using these namespaces.The following elements are deprecated, and there is no substitute available:
<PolicyRequirementRuleReference><AttributeRuleReference><PermitValueRuleReference><DenyValueRuleReference>These elements were deprecated in V3.0.
This refers to configuration described in AttributeResolverConfiguration.
ad: (urn:mace:shibboleth:2.0:resolver:ad) namespace are deprecated. This section describes how to convert from using these namespaces.dc: (urn:mace:shibboleth:2.0:resolver:dc) namespace are deprecated. This section describes how to convert from using these namespaces.enc: (urn:mace:shibboleth:2.0:attribute:encoder) namespace are deprecated. This section describes how to convert from using these namespaces.pc: (urn:mace:shibboleth:2.0:resolver:pc) namespace are deprecated. This section has more details.<Dependency> elements and the sourceAttributeID="name" attribute throughout the schema are deprecated and should be replaced by the InputAttributeDefinition and InputDataConnector elements, which are introduced with V3.4.0. This section describes how to do the conversion.springResources attribute in the StoredIDDataConnector is meaningless and deprecated.<FailoverDataConnector> as a child of a StaticDataConnector is deprecated.<PrincipalConnector> element is deprecated. (more details...)cacheResults attribute in the Relational Database and LDAP DataConnectors has been ignored since V3.1.0 and will be removed.mergeResults attribute in the LDAP DataConnector will be removed.queryUsesStoredProcedure attribute in the Relational Database and LDAP DataConnectors has been ignored since V3.0 and will be removed.ApplicationManagedConnection element to provide the data source for a Relational Database DataConnector is deprecated and replaced (for testing) by the SimpleManagedConnection element and (in production) by the BeanManagedConnection element.The following are deprecated and are replaced by the NameID Generation service.
CryptoTransientId (attribute type)TransientId (attribute type)SAML1StringNameIdentifier (encoder type)SAML2StringNameID (encoder type)Use of the AttributeResolverWorkContext class is deprecated in scripts. This is currently exposed during resolution as a child of the AttributeResolutionContext
Attribute IDs within the IdP containing whitespace are deprecated and will not be permitted in V4.
ChainingFilter
FilesystemResource, HttpResource and FileBackedHttpResource types are all deprecated and replaced by the use of the backingFile attribute (see documentation).ExtensionSchema element as a child of the SchemaValidation metadata filter is deprecated.maxValidityIntervalDuration attribute of the RequiredValidUntil filter must be a duration (the legacy support of "value in seconds" will be removed).requireSignedMetadata attribute of the SignatureValidation filter is deprecated (and replaced with the requireSignedRoot attribute)<sec:TrustEngine> within a MetadataProvider is deprecated (it was left purely for V2 legacy support). See below.basicAuthUser (replaced with the more general httpClientSecurityParametersRef)basicAuthPassword (replaced with the more general httpClientSecurityParametersRef)credentialsProviderRef (replaced with the more general httpClientSecurityParametersRef)tlsTrustEngineRef (replaced with the more general httpClientSecurityParametersRef)requestTimeout (replaced with connectionTimeout)disregardSslCertificate (replaced with disregardTLSCertificate)httpCaching, httpCacheDirectory, httpMaxCacheEntries, httpMaxCacheEntrySize (replaced with more general httpClientRef)The entirety of this namespace is deprecated. Metadata configuration is described here and the modern form of relying party configuration here. The V2 syntax support will be dropped from V4.
This namespace was used primarily within the legacy relying party syntax, which has been deprecated.
It was also used in the LDAP data connector to specify an X.509 certificate to serve as either the trust (<StartTLSTrustCredential>) or authentication (<StartTLSAuthenticationCredential>) credentials used to configure the TLS connection to an LDAP server. These have been replaced with the trustFile="file", authCert="file" and authKey="file" attributes.
All are deprecated.
One non-deprecated case is within a SignatureValidation filter. This, however, supports simpler replacement attributes (either certificateFile="file" or trustEngineRef="bean" for advanced cases).
Another is the specification of a <TLSTrustEngine> for transport authentication of a metadata source, but this is not a recommended or common scenario.
The following properties are deprecated (usually connected to the deprecation of specific features) and will be removed in V4:
idp.httpclient.useTrustEngineTLSSocketFactory (replaced with idp.httpclient.useSecurityEnhancedTLSSocketFactory)
idp.consent.userStorageKey (replaced with idp.consent.attribute-release.userStorageKey and idp.consent.terms-of-use.userStorageKey)
idp.consent.userStorageKeyAttribute (replaced with idp.consent.attribute-release.userStorageKeyAttribute and idp.consent.terms-of-use.userStorageKeyAttribute)
The Initial Authentication feature has been deprecated and is replaced by the more flexible MFA login flow.
There are a variety of API changes planned that may impact advanced deployers making use of classes in scripts or extensions. Most changes are relatively small and non-impactful. The Javadocs (see the Configuration page for links once V3.4 is released) include summaries of all deprecated classes and methods.