Shibboleth SP and ADFS

Peter Schober peter.schober at
Tue Apr 5 17:40:57 EDT 2016

* Scott Severtson <ssevertson at> [2016-04-05 20:48]:
> The client transformed their metadata using "Federation Metadata Manager
> for ADFS" (;

FYI, FEMMA had (and probably still the case, as that SF page says
"Last update" 3 years ago; AFAIK Cristian has abandoned the project
since he has switched to Shibboleth) issues with SAML Metadata
security (or MetadataIOP), I don't recall the specifics. I think it
wasn't verifying signatures on metadata. So unless you get your TLS
stack in line and/or add additional tooling to make sure what you
import is authentic, that's throwing out all security someone might be
expecting from importing SAML Metadata.

Roland was kind enough to do a version of FEMMA that used his pysaml2
library internally and that should be much more secure and conformant:
So if you had to use any tooling to make MS-ADFS handle SAML Metadata
aggregates I'd strongly suggest pysfemma over FEMMA.

As to the obsolete Ubuntu packages:

* Scott Severtson <ssevertson at> [2016-04-05 21:41]:
> We're on 2.5.2 because that's the version available in Ubuntu 14.04's
> package repositories; an upgrade would be a significant challenge. Even the
> upcoming 16.04 LTS release only packages 2.5.3. Our SP is used by clients
> from hundreds of universities daily, so we're hesitant to roll our own
> package at the risk of stability.

Debian testing already has 2.5.6, jessie-backports will soon, too.
I don't see anything on the Ubuntu side (and I'm not aware of anyone
working on this, or how Ubuntu backporting is organized), but a
trusty-backport shouldn't be too much work based on the Debian
Not sure it's appropriate but if anyone wanted to work on this I'd
suggest getting in contact with the Debian packagers, mostly Ferenc
these days.

Other than that: SWITCH provides unsupported (outside the SWITCH
community) 3rd party packages of current Shib SP releases, including
ones for Ubuntu 14.04:
Their layout (package names, location and defaults for logging, etc.)
doesn't follow that of the Debian (and from that, Ubuntu) packages,
though, so a bit of fiddling/re-adjusting is required as part of a


More information about the users mailing list