Shibboleth 2.x packages updated in unstable

Kristof BAJNOK bajnokk at niif.hu
Tue Sep 15 09:10:23 UTC 2009 

On Wednesday 09 September 2009 23.51.07 Ferenc Wagner wrote:
> > Debian unstable should now have all the current versions of the
> > Shibboleth packages.  I've done some light testing, but haven't been
> > able to do anything that comprehensive since we'll be doing our
> > Shibboleth 2.x upgrade later this fall.  If anyone is in a position
> > to test with unstable, please do.
>
> Thank you very much for wading through this!  I did some very basic
> testing today and the SP installed and started OK.  We'll continue
> stressing the new packages, but we haven't got a prepared unstable
> testing environment either.

I've upgraded some of our lenny boxes to 2.2.1 today (from squeeze), no 
problems so far.

The only thing I had to do manually after the upgrades is to apply the 
following patch on shibboleth2.xml to get rid of the startup warning about 
the (now) legacy Policy syntax:

--- /tmp/shibboleth2.xml        2009-08-26 16:46:05.484303000 +0200                  
+++ /etc/shibboleth/shibboleth2.xml     2009-09-15 10:50:06.787473117 +0200          
@@ -296,12 +296,20 @@                                                                

     <!-- Each policy defines a set of rules to use to secure messages. -->
     <SecurityPolicies>
-        <!-- The predefined policy enforces replay/freshness and permits 
signing and client TLS. -->
+        <!--
+        The predefined policy enforces replay/freshness, standard
+        condition processing, and permits signing and client TLS.
+        -->
         <Policy id="default" validate="false">
-            <Rule type="MessageFlow" checkReplay="true" expires="60"/>
-            <Rule type="ClientCertAuth" errorFatal="true"/>
-            <Rule type="XMLSigning" errorFatal="true"/>
-            <Rule type="SimpleSigning" errorFatal="true"/>
+            <PolicyRule type="MessageFlow" checkReplay="true" 
expires="60"/>
+            <PolicyRule type="Conditions">
+                <PolicyRule type="Audience"/>
+                <!-- Enable Delegation rule to permit delegated access. -->
+                <!-- <PolicyRule type="Delegation"/> -->
+            </PolicyRule>
+            <PolicyRule type="ClientCertAuth" errorFatal="true"/>
+            <PolicyRule type="XMLSigning" errorFatal="true"/>
+            <PolicyRule type="SimpleSigning" errorFatal="true"/>
         </Policy>
     </SecurityPolicies>

I didn't care much about the changes in attribute-map.xml, just kept the old 
version. 

So far I've only done some basic functionality testing (session initiation, 
logout, content protection). It just works. :) 
If you have anything specific to test, please let me know.

Kristof

More information about the Pkg-shibboleth-devel mailing list