shibboleth-sp (3.0.2+dfsg1-1) experimental; urgency=medium With the release of Shibboleth Service Provider 3, the "2" version indicator is dropped from the source and binary package names, from the name of the Apache module file and most importantly, from the module and config name used with a2enmod/a2enconf. However, /etc/shibboleth/shibboleth2.xml kept its name, following upstream convention. Changes to the old config file /etc/apache2/conf-available/shib2.conf will be preserved and included in the Apache configuration under the new name; they will have to be manually disabled again if not desired. From version 3 the upstream default log destination of the Apache module (the "native log") is syslog, not files under the /var/log/shibboleth-www directory. Syslog was the Debian default before 2.5.5+dfsg1-1, when the package behavior was aligned to upstream. Following the upstream default, that change is effectively reverted in this package version. -- Ferenc Wágner Fri, 10 Aug 2018 17:05:54 +0200 shibboleth-sp2 (2.6.1+dfsg1-2) unstable; urgency=medium Upstream's default Apache configuration is now installed in /etc/apache2/conf-available/shib2.conf. Notably, it allows unrestricted access to the handler location (required for Shibboleth to function) with: AuthType None Require all granted This configuration also contains ShibCompatValidUser Off (the default setting), which you may want to enable if you use other authentication modules on the same Apache server as Shibboleth. -- Etienne Dysli Metref Mon, 27 Nov 2017 08:41:27 +0100 shibboleth-sp2 (2.5.5+dfsg1-1) unstable; urgency=medium The Debian specific redirection of logs from the Apache module (native logs) is dropped in this version. The new upstream location for these logs is /var/log/shibboleth-www. -- Ferenc Wágner Thu, 21 Jan 2016 01:13:27 +0100 shibboleth-sp2 (2.5.2+dfsg-1) experimental; urgency=low Shibboleth has added new Require shib-session and Require shib-user directives, which will replace use of Require valid-user and Require user with Shibboleth authentication. If you are currently using valid-user or user restrictions with Shibboleth, consider switching to shib-session and shib-user, respectively. If you are using both Shibboleth and another authentication method, such as basic auth, on the same Apache server and want to use Require valid-user or Require user with the non-Shibboleth authentication method, you will need to add: ShibCompatValidUser On to your server or virtual host configuration. -- Russ Allbery Tue, 18 Jun 2013 14:47:40 -0700 shibboleth-sp2 (2.3+dfsg-1) unstable; urgency=high As of this release, running shibd as a non-root user is supported and recommended to limit the impact of any potential security issues. The package will create a dedicated _shibd user on installation for that purpose. In order for shibd to run as user _shibd instead of as root, user _shibd must have read access to the private key of the server. The easiest way is to make the private key, normally /etc/shibboleth/sp-key.pem, owned by root and readable by group _shibd: chown root:_shibd /etc/shibboleth/sp-key.pem chmod 640 /etc/shibboleth/sp-key.pem The init script attempts to detect, when starting up shibd, whether it can read the private key specified in the configuration and, if not, falls back on running shibd as root, as was done in previous versions of this package. -- Russ Allbery Tue, 10 Nov 2009 16:48:03 -0800 shibboleth-sp2 (2.2.1+dfsg-2) unstable; urgency=low There are several changes to the configuration syntax and defaults in Shibboleth 2.2, one of which produce deprecation warnings on startup until /etc/shibboleth/shibboleth2.xml is updated. The most significant change is that tags in the element should be changed to and a new policy rule added: See: https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationChanges for all the details and further explanation. -- Russ Allbery Tue, 15 Sep 2009 20:44:26 -0700 shibboleth-sp2 (2.0.dfsg1-4) unstable; urgency=low With this release, the Apache module configuration fragments in /etc/apache2/mods-available have been renamed to shib2.* from shib.* to avoid conflicts with libapache2-mod-shib. If you had any customizations in /etc/apache2/mods-available/shib.load, you will need to move them to /etc/apache2/mods-available/shib2.load. -- Russ Allbery Tue, 14 Oct 2008 20:52:20 -0700