Federated Services T&I Consultancy Trust, Identity and Access Blogs UK Access Management Federation

Are you making the most of your Shibboleth IdP?

Hands typing on a laptop.
Image by Glenn Carstens on Unsplash

We all know how it goes. We face a challenge, we find a solution, we implement it, and if we’re lucky – it works!

Before you know it – the successful solution is all but forgotten. Neglected. A distant memory in the chaos of the day-to-day; buried beneath a pile of new challenges that we’re now busy trying to fix.

But what are the implications if we don’t tend to solutions already in place? Perhaps nothing will break, but what if it does? And what opportunities are being missed if we don’t stay on top of product developments in the meantime?

While these considerations are true of almost any solution, this blog post focuses on the impact of neglecting your Shibboleth IdP.

Impact on Cyber Security & Organisational Resilience

Vulnerable, unsupported, and outdated components contribute significantly to your organisation’s security risks [1]. Moreover, authentication infrastructure represents a large, exploitable attack surface [2], and in over 60% of cases, stolen credentials are used in further data breaches [3]. Upgrade and patch management is crucial to improve your cyber security.

We first wrote about this in November 2021, discussing, at the time, how keeping your Shibboleth IdP up to date is crucial to securing Cyber Essentials. Keeping up-to-date operating system and application software is also required by participants in the Sirtfi federated incident response system [4].

However, we know that more than one in four institutional UKf members are still running out-of-date software. This could have major repercussions; Shibboleth’s v3 IdP software has been unsupported since 31st December 2020, and v5 is due to be released next year (2023).

This means institutions are missing out on key updates to mitigate known vulnerabilities in the software itself and its dependencies, including cross-site request forgery, log system and cookie hardening, a host of possible remote command execution bugs, tighter control over log-out behaviours, and session enhancements.

What’s more, passwords alone are no longer sufficient to prove ownership of an account, and with the likes of the Department for Education now mandating Multi-factor Authentication (MFA) for both staff and students, you need to be able to quickly and easily enable this. The Shibboleth v4 IdP has a highly configurable multi-factor flow implementation, and new MFA plugins such as Duo 2FA, and time-based one-time password (TOTP). It also natively supports SAML proxying, which allows delegation to a downstream IdP to provide MFA support e.g. Azure Active Directory.

So, still using an old and now unsupported version? Make sure you’ve got a plan to address it, if you want to reduce security risks and improve cyber resilience for your institution.

Impact on Student Experiences

In the modern world, students expect best-in-class digital experiences, regardless of whether you’re a large university or a tiny college in rural Devon. This was made clear when we reviewed lessons from the Student Voice Survey for 2020/21.

If you’re not using the latest version of a software, have you considered how this might impact your ability to deliver and improve seamless digital experiences for students? Or the knock-on impact of this on their learning?

Qatalog and Cornell University’s Idea Lab found that people in the workplace take about nine and a half minutes to get back into a productive workflow, after switching between digital apps. If your institution is adding to this by deploying clunky log-in experiences on top, how might this be affecting your ability to deliver effective learner transfer?

The latest version of Shibboleth enables you to deliver even greater interoperability, and improved digital experiences, for staff and students alike. The IdP can now act as a fully certified OpenID Connect Provider, integrating with potentially new service providers that do not support SAML.

If you don’t stay on top of upgrading your software, your institution is likely missing out on a host of benefits as a result.

Impact on Staff Experiences

If we want our students to excel – we must consider our staff experiences too.

For research staff — it is important to have safe, privacy-respecting, seamless access to journals to help further their research goals.

For library staff – they may be missing out on improved user experiences thanks to Shibboleth’s new UI templates – only available to those on the latest version.

For IT staff – it is easier to configure centralised ’strong’ and dynamic authentication assurance/policies e.g. MFA, alongside native support for SAML ‘proxy’ authentication which combines full support for SAML federation metadata with a downstream identity provider that does not (e.g. Active Directory).

What’s more, this could lead to a decay in access management standards, an increased use of hard-to-manage individual application LDAP connections fo authentication or worse, and registration of local credentials per application (which defeats single-sign-on, encourages password re-use, and increases the impact of third-party data breaches). This turns what was once a tidy and simplified access management landscape for your institution into a labyrinth of differing access and authentication standards.

Ensuring that your institution is taking advantage of the benefits of a simplified SSO solution across its digital estate is no small task. IT teams must ensure federated access is kept front of mind during procurement or internal service development, so they can unlock great staff and student access experiences in turn.

Impact on Data Protection & Privacy

If you’ve seen documentaries like The Social Dilemma (2020) – you’ll know how complete a picture online advertisers and retailers can build up of individuals, in the modern age.

But good digital experiences don’t have to be a trade off for personal privacy. Federated access should ensure this through a ‘privacy by design’ model; reducing the need to share personally identifiable information, while offering slick digital experiences in turn.

Not only do institutions have a duty to teach their students and staff to care about their personal data, and that of the institution, but there is also an opportunity to reduce the burden and risk on your Information Security and Data Protection teams.

Is it time for an upgrade?

So, there you have it. 4 key reasons why staying on top of your Shibboleth software can improve security, enhance digital experiences and enrich operational efficiency for your institution.

If we’ve persuaded you of the need to upgrade your set-up, and you’re wondering what to do next, fear not! There are several tools and tips to help get you started:

  • Check the Shibboleth Wiki – all the info you need about the latest software versions, patches and minor upgrade releases is available via this source
  • Contact UK Federation Helpdesk – our dedicated team will be able to help you understand which version of Shibboleth you’re currently running, and advise on the latest version / patches to be aware of. This service is included as part of your core Jisc subscription
  • Call on Trust and Identity Consultancy Support – if you’ve not got the skills or resource to tackle this yourselves, you can also call on our Trust and Identity experts to help you out, whether it’s a one-off project or keeping retained expertise on hand, throughout the year
  • Consider a managed service – if regular updates sounds like a lot of hassle, and you’d rather utilise a managed service, you’re in luck! Jisc can offer this through their sister company – OpenAthens. Alternatively – there’s a list of other 3rd party support providers available here

We hope this has been a helpful read. For any queries about Shibboleth or UK Access Management Federation – please contact . And if you have any additional queries about Cyber Essentials – please contact





Leave a Reply

Your email address will not be published. Required fields are marked *