SWITCHaai Transition to Shibboleth Identity Provider v3 is 80% complete

Back in May 2015, the Shibboleth Consortium announced July 31st 2016 as end-of-life date for the IdPv2 code base. A redesigned IdPv3.1.1 is available since March 2015. One month later, SWITCH announced the initial version of the SWITCHaai specific IdPv3 installation guide. In June and September 2015, SWITCH offered well-attended IdP training courses [4] on how to configure IdPv3. Since then, the number of IdPv3 installations has gradually increased to the 80% level it reached just at the beginning of the autumn semester 2016.

The vast majority of the IdP administrators have installed, configured, tested and finally integrated the new version into their production environment. A big thank you to all of them that they gave their time to upgrade. Many administrators provided us valuable feedback on the IdP installation guide so that we could continuously improve it over time.
Several organizations decided to adopt the IdP Hosting service SWITCH offers instead of upgrading their own local installation. Today, SWITCH runs 17 production IdPs on our IdP hosting platform, including the ones for Swiss edu-ID, the Virtual Home Organization (VHO) and the IdP for the SWITCH staff members.

From about half of the remaining eleven IdPv2 instances we know that they will migrate to IdPv3 in the next few weeks. So hopefully by the end of 2016 almost everyone will have completed the transition.

The US InCommon Federation from time to time analyses the metadata of the eduGAIN interfederation service and publishes an interesting statistic on how many of the interfederation enabled IdPs are based on the Shibboleth open source software and run on IdPv3 or still on IdPv2. These numbers show that the percentage of IdPv3 in SWITCHaai is pretty high compared with most other federations listed.

Apache Access Control Reloaded

How to ensure that only staff members of my group in my organisation can access team documents via the web and only if they are connected via the organisation’s office network? And how to implement this without writing code? Thanks to Apache, Shibboleth and a SAML-based federation like SWITCHaai, these not so uncommon real life requirements are easy to implement. At least, once one has understood how user attributes can be used for access control. This blog entry demonstrates how to create such access control rules. Continue reading

Simplify Shibboleth IdP Debugging: Quickly Identify Related Log Entries

Why isn’t it possible to easily identify all log messages belonging to particular user that authenticated at a Shibboleth Identity Provider?” This question was asked at the SWITCH Shibboleth Training in June 2015. Many other Shibboleth Identity Provider (IdP) administrators acknowledged they miss such a useful feature too. It would make debugging Shibboleth login issues easier since parallel user logins at the IdP result in many log entries that become a challenge to analyze. By default, the IdP does not provide enough log information to identify all related log entries  for a particular login attempt.

The answer to this question is: This is possible! It’s in Shibboleth already and it’s easy to use but it is a bit hidden. There are two key ingredients needed to activate this.

Continue reading