New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade Shibboleth to v.3 #5387
Comments
Just a note that Odum has been running 3.0.2 since August; the only issues we've noticed are deprecation notices about certain config elements. |
@donsizemore - any interest in making a pull request? |
@donsizemore - thanks for the PR; was it really as simple as upgrading the package? Did you have to tinker with the settings in your old config files at all? |
@landreev well, if the upgrade were more difficult I couldn't have done it =) For at least the 2.6 => 3.0 upgrade Shibboleth promises backwards compatibility but crabs:
Whether that configuration change should be included in this issue or left to the end-user (as much of the Shibboleth configuration is by necessity) is you all's' decision, but I'd personally want the security fixes in the newest Shibboleth version (for Odum, 3.0.2). |
Just a note that I have a test system's Shibboleth 3.0.2 installation launching without complaint by modifying our shibboleth2.xml file per https://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2 YMMV, but a diff shows my only changes are the urn:mace:shibboleth version change and the MetadataProvider file/path switcheroo. The test system is https://dataverse-test.irss.unc.edu if'n you'd like to try it. |
To rehash: at the last standup we've decided to keep this issue open and to use it to track the process of upgrading our Shibboleth setup to v.3. |
3.0.3 is out; I'm waiting for RPMs to show up in their yum repo. appears to be bugfix-only: |
Just a note that Shibboleth released 3.0.4 yesterday to fix a DoS vuln; Odum is running happily on 3.0.4 since then. |
@donsizemore thanks. What's the status of pull request #5397 ? This issue is in "Ready" from the perspective of https://waffle.io/IQSS/dataverse
@landreev @djbrooke does this mean we should create an issue over at the new https://github.com/IQSS/dataverse.harvard.edu/issues issue tracker? |
#5397 is ready from my perspective; it's what I needed to do to suppress deprecation warnings during Shibboleth launch. However, we note in the documentation that each shibboleth.xml will be something of a snowflake. The CVE describes all versions of Shibboleth prior to 3.0.4 as vulnerable to the DoS attack... |
@donsizemore thanks. I guess one way of thinking about this issue is that by including |
ADFS example piggybacks off the |
@landreev @pdurbin - so this issue can be moved across the board, reviewed, and QA'ed, and then we have a separate issue in dataverse.harvard.edu repo for the upgrade to Harvard Dataverse? Sounds good to me, just want to make sure I'm understanding. Thanks @donsizemore for the PR! |
@djbrooke Correct, that sounds like the way to go. |
Done, created IQSS/dataverse.harvard.edu#5 |
In edc0353 I merged develop into the branch to pick up the ADFS config and learned that it's already using |
@kcondon - hm. I'll defer to @landreev and @pdurbin on whether we want to do any tire kicking now, or if the code review and the fact that @donsizemore has been running it in prod for a few months is sufficient. Anyway, I'd lean towards no further kicking right now, but let me know if I'm missing something. |
Another data point is that I asked @pameyer yesterday if he's using Shib 2 or 3 in his testing. He's using Shib 3 and sees no reason to use Shib 2. The pull request is about no longer encouraging installations to use Shib 2. |
When I posted that for some reason my ticket view only showed your testing comment Danny. I've since independently seen the upgrade link and it appears to require 2 things: 1. yum install and 2. change version in shib2.xml. Generally, I like dev to look it over for potential issues before I get it but let's fire away! |
Actually, we are already running shib 3 in production.
and that's still set to 2.0 in production. We can double-check on all this before closing the other issue, IQSS/dataverse.harvard.edu#5. |
The config file we are using in prod. and on demo also has "2.0" in the actual MetadataProvider/saml configuration:
Is this ok? |
@landreev I only made changes per ttps://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2 I'm currently using NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" in my DiscoveryFilters and Shib 3.0.4 doesn't crab about them on launch. |
Same here - our Shib 3.0.3 seems to be running just fine with the DiscoveryFilter section above. |
We are currently on a deprecated version of Shibboleth. Let's test and then update documentation to point to a more recent and supported version, such as Shibboleth 3.
The text was updated successfully, but these errors were encountered: