Security hardening guidance for Shibboleth IDP v5.x with focus on Linux DevOps best practices.
¶ TLS and Cipher Policy
- Enforce TLS 1.2+: Configure your web server/reverse proxy to only allow TLS 1.2 and higher
- Modern Cipher Suites: Use strong cipher suites that support forward secrecy
- HSTS Headers: Implement HTTP Strict Transport Security headers
- Certificate Validation: Ensure proper certificate validation and chain verification
server {
listen 443 ssl http2;
server_name idp.example.com;
# SSL Configuration
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
}
¶ Certificate and Key Management
¶ Separate Signing and Encryption Keys
- Separate Certificates: Use separate X.509 certificates for signing and encryption operations
- Key Rotation: Implement regular rotation of SAML signing and encryption keys
- Secure Storage: Store private keys in secure, restricted-access locations
- Access Control: Limit access to certificate and key files to authorized personnel only
# Set proper permissions for certificate files
sudo chmod 600 /opt/shibboleth-idp/credentials/*
sudo chown root:shibd /opt/shibboleth-idp/credentials/*
sudo chmod 750 /opt/shibboleth-idp/credentials/
¶ Certificate Authority and Chain Verification
- Proper Chain: Ensure complete certificate chains are provided
- CA Trust: Maintain updated CA certificate bundles
- OCSP Stapling: Enable OCSP stapling where possible for revocation checking
- Principle of Least Privilege: Release only the minimum required attributes to each service provider
- Attribute Filtering: Implement strict attribute filtering policies in
conf/attribute-filter.xml
- Consent Mechanisms: Consider implementing attribute release consent where appropriate
<!-- Release only required attributes to specific SP -->
<afp:AttributeFilterPolicy id="restrictedSP">
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<basic:PermitAll />
</afp:AttributeRule>
<afp:AttributeRule attributeID="mail">
<basic:PermitAll />
</afp:AttributeRule>
<!-- Deny all other attributes by default -->
</afp:AttributeFilterPolicy>
- ACL Configuration: Configure access control lists for administrative endpoints
- Network Segmentation: Restrict access to management interfaces to trusted networks
- Authentication: Require strong authentication for administrative access
¶ Handler Configuration with ACL
<!-- Restrict status handler access -->
<Handler type="Status" Location="/Status"
acl="127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" />
<!-- Restrict admin handler access -->
<Handler type="Admin" Location="/Admin"
acl="127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" />
<!-- ExternalAuth handler (critical - must have ACL) -->
<Handler type="ExternalAuth" Location="/ExternalAuth"
acl="127.0.0.1 ::1" />
- Secure Cookies: Enable secure cookies to restrict transmission to SSL connections only
- IP Consistency: Enable IP address consistency checking to reduce session hijacking risk
- Session Timeout: Configure appropriate session timeouts
- Data Sealer Keys: Use Versioned DataSealer instead of Static type and rotate keys regularly
# Session security settings
idp.session.trackActivity= true
idp.session.secureOnly= true
idp.session.useSecureCookies= true
idp.session.includeSubdomains= true
idp.session.trustClientCert= false
idp.sessions.checkAddress= true # Check IP consistency
idp.session.Lifetime= PT6H # 6 hour session lifetime
idp.session.IdleTime= PT30M # 30 minute idle timeout
- Rotation Schedule: Implement daily rotation of DataSealer keys (since Session Recovery tokens contain PII)
- Secure Storage: Store DataSealer keys securely with limited access
- Versioned Sealer: Use Versioned DataSealer instead of Static type
- Disable When Possible: Disable Session Recovery cookie if not needed for clustering
- PII Protection: Remember that Session Recovery tokens contain personally identifiable information
¶ Monitoring and Logging
- Authentication Logs: Monitor authentication success/failure events
- Metadata Changes: Track federation metadata updates and changes
- Anomaly Detection: Implement detection for unusual access patterns
- Audit Trail: Maintain audit logs for compliance
# Security-relevant logging levels
idp.loglevel.idp= INFO
idp.loglevel.packages= WARN
idp.audit.level= INFO
idp.statistics.level= WARN
- Non-root User: Run containers as non-root user where possible
- Resource Limits: Apply CPU and memory limits to prevent resource exhaustion
- Read-only Root: Use read-only root filesystem where possible
- Secrets Management: Use container orchestrator secrets management
¶ Regular Security Maintenance
¶ Update and Patch Management
- Stay Current: Maintain current versions of Shibboleth IDP with latest security patches
- Subscribe to Advisories: Subscribe to Shibboleth announce mailing list for security advisories
- Test Updates: Test security updates in staging before applying to production
- Vulnerability Scanning: Regularly scan for vulnerabilities in your deployment
- Penetration Testing: Conduct regular security assessments
- Configuration Reviews: Periodically review security configurations
- Access Reviews: Regularly audit access to administrative interfaces and sensitive data
- Subscribe to the Shibboleth announce mailing list for security advisories
- Regularly check the Shibboleth security advisories page
- Follow SANS and other security best practice guidelines for SAML deployments