Middleware Announcements

[Renee Frost <>]

The Shibboleth team is pleased to announce the availability of the first 
public beta release of the next major version, v1.3, of the 
Internet2  Shibboleth software.  Many new features have been introduced and 
the providers have been generalized, all described in more detail at 
https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/ShibOnedotThree 
. Significant changes include:

    *  With this release, Shibboleth supports all of the required features 
of the SAML v1.1 specification. Support for the Browser Artifact Profile 
and AttributePush have been added.

    * This release will support the use of two different schema to specify 
Federation MetaData: the proprietary schema used in the previous Shibboleth 
release, and the schema specified in the SAML v2.0 specification. In the 
future, the proprietary Shibboleth schema will likely be deprecated.

    * This release will be usable in the CredentialService role defined in 
the US Federal E-authentication Initiative 
(http://www.cio.gov/eauthentication/ ). We expect this release or a small 
follow-on to be certified by the e-authn labs for use by campuses when 
interacting with applications offered by federal agencies.

    * The multi-federation support in the IdentityProvider component is 
completed. This will allow a single instance of an IdentityProvider to 
operate within multiple federations, with a full implementation of the 
trust fabric validation.

    * Some small improvements have been made to the build process for the 
IdentityProvider component (eg the configuration files will be pulled out 
of the war file).

The initial deployment documentation is available at:

http://shibboleth.internet2.edu/guides/idp/
http://shibboleth.internet2.edu/guides/sp/

At this time, we would strongly encourage sites with some experience and 
familiarity with the Shibboleth software to help the process of reaching a 
stable release by downloading, testing, and experimenting with the 
software. Problems should be reported via http://bugzilla.internet2.edu/ .

We'd like to ask sites that work with the beta to post success stories in 
addition to questions and problems. This information will help us to 
evaluate whether the new packages are usable. Normally, the success stories 
are represented just by silence.

NOTES:

1) This is the first beta release of a major new version. Although we have 
tested it, sites should treat this as feature-complete without sufficient 
load testing, and likely to contain bugs.   Since this is a beta release, 
Shibboleth v1.3b should not be installed over an existing Shibboleth 
installation, but rather installed into a clean test environment.  It is 
also not recommended nor supported for production use.

2) With this release, we are moving toward using the SAML vocabulary. 
Consequently, some of the old familiar terms (eg SHAR, SHIRE, etc) are 
being replaced with newer terms. We have provided a Glossary to help in 
this transition. Please feel free to suggest additional entries.

3) Shibboleth v1.3b supports two formats for federation metadata: the 
original proprietary format which is being deprecated, and the newer SAML 
2.0 format.  To continue to support 1.2.1 deployments, InCommon and InQueue 
will distribute metadata and new provider information in both formats; 
currently, however, since this is a beta release, only InQueue is 
distributing the new format. The new format metadata is available at 
http://wayf.internet2.edu/InQueue/IQ-metadata.xml . Note that the 
information previously contained in the sites and trust files has now been 
merged into a single file. Additionally, many of the new features will 
require use of the new metadata.

4) The new IdP component no longer uses apache/mod_ssl to implement the 
trust layer. Instead, the java IdP code now implements the trust checking. 
The new IdP implementation will only work correctly with the new metadata.

5) Because of the change noted in the previous point, we believe it should 
be possible to use the new IdP WITHOUT apache, and using just Tomcat. We 
have not had the time to investigate this. However, if someone does 
identify how to do this (or, better yet, develops some code to do this), 
please post a description. Configurations using just Tomcat would probably 
need to have a process for taking the union of all trust anchors from the 
metadata and adding them into tomcat's trust store.

6) The InCommon and InQueue application forms have not yet been 
enhanced  to allow sites to request that their metadata entry contain 
elements that are required for some of the new functionality; these 
enhancements will be made very soon.

7) At this time, we are only providing installation information for the new 
release. We only expect people to be installing this release into clean 
test environments. However, over the next couple of weeks, we expect to 
provide upgrade guides to help with the summertime transition of production 
Shibboleth sites to the new version.

8) Sites using the SP component are encouraged to use their existing 
configuration files. These should work with the new release.

9) We've created an area on the Shib WiKi where people can add comments 
about their experiences using the new version. Look at this page, on the 
bottom, 
https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/ShibOnedotThree 
, under " Using the v1.3 Shibboleth Implementation". Remember, though, that 
this WiKi is shibboleth-enabled, and you'll have to register in order to 
edit the text.
        

Steven Carmody
Brown University
Shibboleth Project Lead