Middleware Announcements

[Renee Frost <>]

The Internet2 Shibboleth team is pleased to announce the availability of
release 0.8 of its Shibboleth implementation. This new release contains
many improvements and enhancements. A partial list is included at the end
of this note. 

With this release, there are separate distributions for origin and target
deploys. Deploy documentation can be found, linked from the
"Shibboleth v0.8 Available" entry in the Navigation Bar of the
Shibboleth Home Page: 
http://shibboleth.internet2.edu/

This release has been tested on Red Hat Linux versions 7.2 and 7.3, and on Solaris 2.8. The origin implementation is entirely in java, so there is one package for all platforms. There are separate target packages for RH and Solaris. The distribution packages are available from http://wayf.internet2.edu/shibboleth/index.html

Shibboleth is an Open Source project, and we don't guarantee support. However, if you encounter problems, join the mace-shib-users list @ Internet2 (http://middleware.internet2.edu/shibboleth/shib-misc.shtml#mailinglist), and post a description of your problem; its very likely someone will answer.
If you discover a bug, please post it to our Bugzilla based repository ( http://bugzilla.internet2.edu/shibboleth/). Bugs can be posted against a 0.8 product version. 

For those who are so inclined, the source is available from our cvs repository ( http://middleware.internet2.edu/opensaml/cvs.html ). Tarballs containing snapshots of the 0.8 source are also available from http://wayf.internet2.edu/shibboleth/index.html . These contain docs describing how to compile the new version. 

Lastly, a BIG thank you to the people who helped us test this version, and improve the quality of the overall package, the install process, and the documentation. 

Steven Carmody
Shibboleth Project Manager

--- Features and Functionality Added for the 0.8 Release -------------- 

-- ORIGIN 

Changes to the Attribute Release Policy processing. Changed the way that ARPs are defined and processed, to make the concept more consistent and understandable, and to improve the ability of a site to manage ARPs. Changed the ARP schema, to support the new model and algorithm, and to remove access permissions from the ARP schema. Store the ARPs in the file system, as XML documents. Rely on the access control mechanism provided by the file system. ARPs will be editable with an ordinary editor.

Improved robustness and failover support. Implemented a stateless mechanism for transferring the "handle to user identity mapping" from the Handle Service to the Attribute Authority. This allows an origin site to easily run multiple copies of both the Handle Service and Attribute Authority, and not have to worry about preserving state information, or transferring information among the multiple copies. These services can now be restarted without interrupting service.

Provided a way for browser users at origin sites to authenticate to the Handle Service using client certificates.

Improved error detection in the Handle Server and Attribute Authority, and reflect these errors to the target and the browser user in an understandable (and recoverable) fashion.

Ensure that the Handle Service's re-direct page works properly with different browsers. Refined the page to reduce the possibility of inadvertent excess mouse clicks. 

-- TARGET

Support simple Attribute Acceptance Policies. Support regular _expression_ AAPs for scoped attributes based on the Domain elements in the sites file, and regular _expression_ and literal matching rules based on origin site name using an XML policy file at the target. 

Extended the Resource Manager functionality to support Shib's extended attributes. This will extend the RM processing to support using regexp matching of a rule against a supplied attribute (eg, for entitlement values).

Simplified the process of adding new attributes. Support the addition of simple-valued attributes (multiple or single) through runtime configuration commands. 

Improved performance and portability. Make the SHAR and the webserver shim that invokes the SHAR thread safe. In addition, this change is necessary for future Apache 2.x and IIS implementations. 

Cleanup of error handling and error messages to improve usability in error situations.

Regularly obtains the latest sites file from the Club Registry. (Note: this will not include automatically updating the set of trusted root certificates.)

Extended the SHAR so that it can request specific attributes from the AA. The Shib administrator at the target uses a directive in the shibboleth.ini config file to specify the list of required attributes.

Improved target side robustness. Add cleanup of old session information to the SHAR. 

-- WAYF 

Added two new buttons to the WAYF page: Remember this origin site permanently (sets a permanent cookie), and Don't remember this origin site (sets no cookie). Both buttons will take the browser user on to the selected origin site. 

--OPENSAML

Extended the Java API to match the functionality currently available with the C++ API.

Integrated some (not all) of the donated code.

Finalized the signing logic in OpenSAML so that we can guarantee interoperability going forward.

Added support for certificate chains.

Allow an attribute requester to specify the attributes they want returned to them. This is necessary to allow the SHAR to request specific attribute values.




Renée Woodten Frost
Assistant Director, Middleware Initiative
University Corporation for Advanced Internet Development (UCAID)
3025 Boardwalk Suite 100
Ann Arbor, Michigan 48108
phone:  734-913-4293

 

fax:  734-913-4255

-----------------------------------------------------------mw-announce-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

    http://archives.internet2.edu/

-----------------------------------------------------------mw-announce--