Description
As of April 15, 2026, build.shibboleth.net is returning HTTP 403 Forbidden for all requests, making it impossible to resolve OpenSAML dependencies required for Spring Security SAML support.
Affected URLs
All paths under build.shibboleth.net return 403:
$ curl -s -o /dev/null -w "%{http_code}" https://build.shibboleth.net/maven/releases/
403
$ curl -s -o /dev/null -w "%{http_code}" https://build.shibboleth.net/maven/releases/org/opensaml/opensaml-saml-impl/4.3.2/opensaml-saml-impl-4.3.2.pom
403
$ curl -s -o /dev/null -w "%{http_code}" https://build.shibboleth.net/
403
What we have verified
- Tested from multiple networks (wired broadband + mobile data) — same 403 from all
- All other Maven repositories (Maven Central, Gradle Plugin Portal, Spring) are working normally
- The old Nexus URL (
/nexus/content/repositories/releases/) redirects (302) to the new path (/maven/releases/) which also returns 403
- No announcement found on Shibboleth wiki or mailing list archives
- At least one other report found today: Azure DevOps pipeline failing with same 403
Impact
This is the single-point-of-failure scenario previously discussed in #11966 and #14286.
Questions to the community
- Is anyone else experiencing this right now? We would like to understand how widespread this is.
- Does anyone have more context on whether this is a temporary outage, planned maintenance, or a policy change on Shibboleth side?
- Are there any alternative mirrors for OpenSAML artifacts?
Description
As of April 15, 2026,
build.shibboleth.netis returning HTTP 403 Forbidden for all requests, making it impossible to resolve OpenSAML dependencies required for Spring Security SAML support.Affected URLs
All paths under
build.shibboleth.netreturn 403:What we have verified
/nexus/content/repositories/releases/) redirects (302) to the new path (/maven/releases/) which also returns 403Impact
This is the single-point-of-failure scenario previously discussed in #11966 and #14286.
Questions to the community