Shibboleth Developers

[Scott Cantor <>]

Lots of progress, I think the module is ready for serious testing at
this point. I'm now moving back to Solaris again. A long list of
features added include:

Minor additions like real session timeout control, and options to
require SSL and IP address checking.

Fully-mappable attribute handling using an Apache command, with
attribute names mapped to HTTP request headers, and optionally to a
require "alias" for use in the authorization layer. An attribute can be
mapped to REMOTE_USER, and is then handled specially as expected.
eg:
ShibMapAttribute urn:mace:eduPerson:1.0:eduPersonPrincipalName
REMOTE_USER
ShibMapAttribute urn:mace:eduPerson:1.0:eduPersonAffiliation \
        Shib-EP-Affiliation affiliation

Type checking attribute classes were added to libeduPerson to support
safe consumption of EPPN, Affiliation, PrimaryAffiliation, and
Entitlement.

The actual attribute factory code is now in a second Apache module
mod_eduPerson, which both tests and illustrates how to dynamically add
an attribute to the system by configuring it into Apache and restarting
the server. This design lets Apache do the hard part of cross-platform
library loading, and the module is very minimal and simple. This idea
ought to translate to NSAPI and ISAPI as well, I believe.

These two features should actually allow real custom attribute support
in alpha2, at least on the target side.

I implemented simple attribute acceptance checking based on a simple
"scope must equal origin site domain" policy, which is a decent starting
point to get that part going. I have tested this against the alpha2 AA
and it seems to work.

I had excellent luck using built-in libcurl features to do the SSL
certificate handling, so I was able to add nearly complete SSL support
to OpenSAML in time for this release. New config slots specify the
client cert, key/password, and optionally a bundle file of CA certs. For
now, only PEM format works. It's possible to send a client cert while
not checking the server's CA.

In all cases, the SHAR now verifies the server's CN against the expected
DNS name being hit, so I had to regenerate certs for shib1 and shib2 to
make this all work right. I used my own OSU test CA for now. I also
tested mod_ssl's client-cert support and was able to make the AA demand
a valid client cert signed by a trusted CA, and it all worked as
expected.

Finally, a variety of error handling choices were changed, to try and
have better decision making about when and how to handle different
errors. For example, if the SHAR can't get attributes, control still
passes to the RM layer, simply without any attributes exported. This is
logical to me, and helps applications that might have useful work to do
in a valid-user case. The SHIRE also tries to be smarter about when to
trigger a new session by redirecting to the WAYF, such as when the AA
reports an invalid handle error. The goal is to avoid so many blanket
Server Error conditions that halt everything.

I'll send Nate the necessary docs soon.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--