The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.



It is an important design goal for IdP V4.0 that any configuration that loads without warning in V3.4 will successfully load and run in V4.0. 

Most deprecated items issue a warning in the DEPRECATED logging category, and we're trying to find and fix any warnings that didn't make it into that category as we issue patches.

WARN [DEPRECATED:118] - xsi:type '{urn:mace:shibboleth:2.0:attribute:encoder}SAML2XMLObject', (class path resource [net/shibboleth/idp/attribute/resolver/spring/enc/saml2XmlObjectDefault.xml]): This will be removed in the next major version of this software; replacement is {urn:mace:shibboleth:2.0:resolver}SAML2XMLObject

Custom Syntax Files

In V3 there was support for a lot of legacy V2 configuration, but much of it was deprecated, mostly when 3.0 was released, some during the releases since then.  In V4 all the deprecated support will be removed.

Attribute Filtering

This refers to configuration described in AttributeFilterConfiguration.

Deprecated namespaces

  • All elements in the basic: (urn:mace:shibboleth:2.0:afp:mf:basic) namespace are deprecated. This section describes how to convert from using these namespaces.
  • All elements in the saml: (urn:mace:shibboleth:2.0:afp:mf:saml) namespace are deprecated. This section describes how to convert from using these namespaces.

Deprecated Elements

The following elements are deprecated, and there is no substitute available:

  • <PolicyRequirementRuleReference>
  • <AttributeRuleReference>
  • <PermitValueRuleReference>
  • <DenyValueRuleReference>

These elements were deprecated in V3.0.

Attribute Resolution

This refers to configuration described in AttributeResolverConfiguration.

Deprecated Namespaces

  • All elements in the ad: (urn:mace:shibboleth:2.0:resolver:ad) namespace are deprecated. This section describes how to convert from using these namespaces.
  • All elements in the dc: (urn:mace:shibboleth:2.0:resolver:dc) namespace are deprecated. This section describes how to convert from using these namespaces.
  • All elements in the enc: (urn:mace:shibboleth:2.0:attribute:encoder) namespace are deprecated. This section describes how to convert from using these namespaces.
  • All elements in the pc: (urn:mace:shibboleth:2.0:resolver:pc) namespace are deprecated. This section has more details.

Deprecated Elements and Attributes

  • <Dependency> elements and the sourceAttributeID="name" attribute throughout the schema are deprecated and should be replaced by the InputAttributeDefinition and InputDataConnector elements, which are introduced with V3.4.0.  This section describes how to do the conversion.
  • The springResources attribute in the StoredIDDataConnector is meaningless and deprecated.
  • The use of a <FailoverDataConnector> as a child of a StaticDataConnector is deprecated.
  • The <PrincipalConnector> element is deprecated. (more details...)
  • The cacheResults attribute in the Relational Database and LDAP DataConnectors has been ignored since V3.1.0 and will be removed.
  • The mergeResults attribute in the LDAP DataConnector will be removed.
  • The queryUsesStoredProcedure attribute in the Relational Database and LDAP DataConnectors has been ignored since V3.0 and will be removed.
  • The use of the ApplicationManagedConnection element to provide the data source for a Relational Database DataConnector is deprecated and replaced (for testing) by the SimpleManagedConnection element and (in production) by the BeanManagedConnection element.
  • It is deprecated to use the JVM default trust store to secure the TLS connection in an LDAP DataConnector.

Deprecated Resolver Types

The following are deprecated and are replaced by the NameID Generation service.

  • CryptoTransientId (attribute type)
  • TransientId (attribute type)
  • SAML1StringNameIdentifier (encoder type)
  • SAML2StringNameID (encoder type)


Use of the AttributeResolverWorkContext class is deprecated in scripts. This is currently exposed during resolution as a child of the AttributeResolutionContext

Attribute IDs within the IdP containing whitespace are deprecated and will not be permitted in V4.


Deprecated Provider Types

  • The ChainingFilter metadata filter type is deprecated. Filters do not need to be explicitly bracketed by a ChainingFilter
  • The HTTPMetadataProvider is deprecated (this refers specifically to that one type, not the variant backed by a local file)
  • The FilesystemResourceHttpResource and FileBackedHttpResource types are all deprecated and replaced by the use of the backingFile attribute (see documentation).

Deprecated Elements and Attributes

  • The ExtensionSchema element as a child of the SchemaValidation metadata filter is deprecated.
  • The maxValidityIntervalDuration attribute of the RequiredValidUntil filter must be a duration (the legacy support of "value in seconds" will be removed).
  • The requireSignedMetadata attribute of the SignatureValidation filter is deprecated (and replaced with the requireSignedRoot attribute)
  • The placement of a <sec:TrustEngine> within a MetadataProvider is deprecated (it was left purely for V2 legacy support). See below.
  • The following attributes are all deprecated as children of the HTTP-based Metadata parsers (dynamic and batch):
    • basicAuthUser (replaced with the more general httpClientSecurityParametersRef)
    • basicAuthPassword (replaced with the more general httpClientSecurityParametersRef)
    • credentialsProviderRef (replaced with the more general httpClientSecurityParametersRef)
    • tlsTrustEngineRef (replaced with the more general httpClientSecurityParametersRef)
    • requestTimeout (replaced with connectionTimeout)
    • disregardSslCertificate (replaced with disregardTLSCertificate)
    • httpCaching, httpCacheDirectory, httpMaxCacheEntrieshttpMaxCacheEntrySize (replaced with more general httpClientRef)

Legacy Relying Party Namespace

The entirety of this namespace is deprecated. Metadata configuration is described here and the modern form of relying party configuration here. The V2 syntax support will be dropped from V4.

Legacy Security Namespace

This namespace was used primarily within the legacy relying party syntax, which has been deprecated.

It was also used in the LDAP data connector to specify an X.509 certificate to serve as either the trust (<StartTLSTrustCredential>) or authentication (<StartTLSAuthenticationCredential>) credentials used to configure the TLS connection to an LDAP server. These have been replaced with the trustFile="file"authCert="file" and authKey="file" attributes.

All are deprecated.

One non-deprecated case is within a SignatureValidation filter. This, however, supports simpler replacement attributes (either certificateFile="file" or trustEngineRef="bean" for advanced cases).

Another is the specification of a <TLSTrustEngine> for transport authentication of a metadata source, but this is not a recommended or common scenario.


The following properties are deprecated (usually connected to the deprecation of specific features) and will be removed in V4:

Other Changes

API Changes

There are a variety of API changes planned that may impact advanced deployers making use of classes in scripts or extensions. Most changes are relatively small and non-impactful. The Javadocs (see the Configuration page for links once V3.4 is released) include summaries of all deprecated classes and methods.