The Shibboleth Identity Provider is one of the main software components used in identity federations worldwide and one of the most popular software choices for people deploying federated identity for research and education. In May 2015 with the release of version 3 of the Identity Provider, the Shibboleth team announced an End of Life date for version 2 as 31 July 2016. This date is now just two weeks away and from the end of July no critical security bugs will be fixed in version 2. The Shibboleth Consortium announced that:
As of July 31, 2016, all security maintenance for the Shibboleth Identity Provider V2 release branch will cease. A complete schedule of the dates can be found here. All deployments should upgrade to V3 or evaluate other alternatives. This does not apply to the Service Provider software, which remains supported indefinitely. It does apply to the 1.x Centralized Discovery Service product.
Work by InCommon and the GÉANT Project Identity Team has revealed that despite the short amount of time left before the End of Life for version 2, there are still over 1000 Identity Providers in eduGAIN that have not upgraded to version 3, representing just under half of the Identity Providers within eduGAIN. This means a significant number of entities are now at severe risk of vulnerability should a security issue arise. InCommon has prepared a per federation report on IdPs that are at risk as well as a useful guide for how organisations should be managing the upgrade.
Chart showing numbers of Shibboleth Identity Provider v2 entities within federations. Only federations with over 5 relevant entities are shown.
The REFEDS Community strongly encourages all organisations to take immediate action to ensure that Identity Provider software is updated as soon as possible. Entities can contact their local federations for advice and guidance or reach out to REFEDS directly and we will put you in contact with appropriate support.