Shibboleth Developers

[Chad La Joie <>]

Alpha 1 will have the following features:
- Fetching of metadata from URLs, the filesytem, and inline to the 
configuration as well as chaining metadata sources.

- REMOTE_USER based user authentication

- Shibboleth SSO with or without attribute push (default is to push)

- SAML 1 Attribute Query via SOAP over HTTP

- SAML 2 Authentication Request via POST and Redirect, with or without 
attribute push (default is to push)

- SAML 2 Attribute Query via SOAP over HTTP

- Attribute Resolution w/ the following plugins:
  - Direct principal connector (i.e. does no translation between 
incoming name identifiers and principals)
  - Relational Database data connector
  - LDAP data connector
  - Static data connector (called "echo" connector in the past)
  - Simple attribute definition
  - Scriptlet attribute definition (supporting Javascript only at the 
moment)
  - Principal Name and Authentication method definitions (just makes 
those two fields available as attributes)
  - SAML 1 and 2 String value encoders (takes an attribute, calls 
toString() on all values, and makes SAML 1/2 <Attribute>s from them)
  - SAML 1 NameIdentifier encoder (take an attribute, calls toString() 
on the first value, and makes a SAML 1 <NameIdentifier>
  - SAML 2 NameID encoder (same as above but creates SAML 2 <NameId>)

- Attribute filtering
  - Ability to define policy group wide policy requirements, attribute, 
and permit value rules and reference them throughout the policy
  - The following functions are supported for constructing policy 
requirements and attribute permit value rules:
    - Attribute issuer, requester, scope, and value, authentication 
method, and principal matching based on exact string and regular expression.
    - Boolean functions supporting AND, OR, and NOT for use in 
composing rules
    - ANY
    - Scriptlet (currently supporting Javascript only)
    - Number of value checking (e.g. ensure there is only 1 value for 
an attribute)

The following things are not supported in Alpha 1:
- Metadata filters (filters metadata as it is loaded into the system)
- Signing and Encryption
- Anonymous relying parties (since there is no real security in this 
release)
- Authentication of users based on IP and Username/Password validating 
against LDAP and Kerberos
- SAML 1 & 2 Artifact
- SAML 2 Logout
- The following attribute authority features:
  - Use of attribute information in query requests or metadata
  - Use of Shib Scope metadata extension
  - Mapped, Composite, Regex, and Scoped attribute definitions
  - SAML Metadata aware filter match functor (e.g. policy requirements 
based on an entities membership in an group in metadata, etc.)
  - Wild card attribute filter rules (e.g. attribtueID="*")

Configuration file formats are considered to be stable at this point and 
will only change if some bug is found that would require a change.

Attribute resolution and plugin interfaces are considered to be stable 
and may be developed against, other plugin interfaces are not stable at 
this time and may change.

Documentation of attribute resolution and filtering plugins will proceed 
immediately after the release of Alpha 1.

There are known memory leaks in Alpha 1.

Only bugs reported through JIRA will be addressed.

I will include all of this information with the IdP bundle itself.

--
Chad La Joie             2052-C Harris Bldg
OIS-Middleware           202.687.0124