Skip to Content.
Sympa Menu

shibboleth-dev - Beta miscellany

Subject: Shibboleth Developers

List archive

Beta miscellany


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: "'Shibboleth Development'" <>
  • Subject: Beta miscellany
  • Date: Thu, 30 Jun 2005 23:35:53 -0400
  • Organization: The Ohio State University
Thought I'd bring folks up to date. Not much testing feedback except my own,
but quite a bit of improvements and fixes are in cvs since the last beta
builds.

I've been testing interoperability for the upcoming Catalyst demo and have
tested successfully against Trustgenix, HP, Sun, and BMC products in both
directions and probably will test a couple of others. Significant
improvements have resulted.

A short list...

- fixed IdP attribute query handler when dealing with 1.1 or pure SAML SPs,
now metadata-driven, with no more Shibboleth HTTP header for compatibility

- added support for authenticating artifact requesters via digital signature
(but not attribute queries, so the original comments about 1.3 not fully
supporting signing still stand)

- SP now fully supports digital signing of artifact or attribute queries for
IdPs that support it. If https is not used, response signing from the IdP is
mandated (but encryption would then be missing).

- SP now supports user-specified signature and digest algorithms, although
OpenSSL 0.9.8 is really needed to enable much other than SHA-1.

- SP now supports HTTP basic, digest, ntlm, and gss-nego SOAP authn for IdPs
that support it (i.e. not Shib's)

- Upgraded and tested new XML-Security-C library, fixes signatures that
include non-line-wrapped base64 content

- Corrected handling of missing TARGET parameter

- SP now supports auto-detection of key and cert formats (patch from Brent
P.)

- Detect errors when OpenSSL isn't seeded

- Detect malformed signatures in SAML messages

- Fixed a bug that expired attributes too early when pushed with authn

- Handle NameIdentifiers without a Format attribute as "unspecified"

I've also done some stress testing on OS X and Windows, though more is
needed. Occasional problems seem to crop up under low memory conditions, but
more of them seem to be caught and handled without harming the system now.

I'll prepare RC-1 builds by this weekend that I think are pretty close to
final unless additional bugs are found. A couple of additional sanity checks
during artifact processing will be added first.

-- Scott


  • Beta miscellany, Scott Cantor, 06/30/2005

Archive powered by MHonArc 2.6.16.

Top of Page