The Shibboleth IdP V4 software will leave support on September 1, 2024.


A bug was introduced in JNDI that affects Java versions 9 through 13. The bug will manifest as a NullPointerException when LDAPS is used, but it affects all JNDI connections. In particular, all functions that perform bind operations will orphan an open connection and eventually exhaust resources and take down the system.

Another bug appeared more recently that breaks hostname verification for LDAPS on an unknown set of versions.

As a result of these bugs, V4 has been updated to rely on an alternate LDAP client library by default and we have ceased to support JNDI due to its history of bugs and lack of care by those maintaining Java.

The approach documented for V3 is applied by default unless the idp.ldaptive.provider property is explicitly overridden.