Shibboleth Developers

["Scott Cantor" <>]

I'm pleased to announce the second and last planned beta of the Shibboleth
2.0 native SP software. I have removed the first beta to avoid any
confusion. You'll find the second beta at
http://shibboleth.internet2.edu/downloads/2.0-beta2/

Source, SRPM, 32-bit Red Hat 4 and 5 RPM, and a Windows installer are
available for this release. There are no known problems building on any
supported platform, emphasis on "known". Solaris and OS X builds have been
done, but not within the last week.

Release notes are below for convenience. Notable additions to this beta
include new custom handlers for generating metadata, reporting on SP
configuration and status, and dumping information for a session.

There are incompatibilities between the configuration file used by previous
releases and this release, so starting from scratch is suggested. XML
validation errors will occur if you use an older configuration file.

-- Scott

Release Notes

Shibboleth Native SP
2.0beta2
12/1/2007

Fully Supported (no major changes planned prior to stable release)

- SAML 1.0, 1.1, 2.0 Single Sign-On
        - Shibboleth 1.x request profile
        - 1.x POST/Artifact profiles
        - 2.0 HTTP-Redirect/POST/POST-SimpleSign/Artifact/PAOS bindings

- SAML 1.0, 1.1, 2.0 Attribute Query via Attribute Resolver plugin
        - SAML SOAP binding

- SAML 2.0 Single Logout
    - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
    - Front and back-channel application notification of logout
    - Race detection of late arriving assertions

- SAML 2.0 NameID Management (IdP-initiated only)
    - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
    - Front and back-channel application notification of changes

- ADFS WS-Federation Support
    - SSO and SLO

- Shibboleth WAYF and SAML DS protocols for IdP Discovery

- Metadata Providers
        - Bulk resolution via local file, or URL with local file backup
        - Dynamic resolution and caching based on entityID 
        - Filtering based on whitelist, blacklist, or signature verification


- Metadata Generation Handler
    - Generates and optionally signs SAML metadata based on SP configuration

- Status Handler
    - Reports on status and configuration of SP
    
- Session Handler
    - Dumps information about an active session 

- Trust Engines
        - Explicit key and PKIX engines via metadata, superset compatible
with 1.3
        - PKIX trust engine with static root list
        
- Configurable per-endpoint Security Policy rules
        - Replay and freshness detection
        - XML signing
        - Simple "blob" signing
        - TLS X.509 certificate authentication

- Client transport authentication to SOAP endpoints
        - TLS X.509 client certificates
        - Basic-Auth
        - Digest-Auth
        - NTLM

- Encryption
        - All incoming SAML 2 encrypted element types (Assertion, NameID,
Attribute)
        - Optional outgoing encryption of NameID in requests and responses

- Attributes
        - Decoding and exporting SAML 1 and 2 attributes
                - Strings
                - Value/scope pairs (legacy and 
value@scope
 syntaxes
supported)
                - NameIDs

- Attribute Filtering
        - Policy language compatible with IdP filtering, except that
references
                only work within policy files, not across them
        - Rules based on, attribute issuer, requester, scope, and value,
authentication
                method, based on exact string and regular expressions.
    - Boolean functions supporting AND, OR, and NOT for use in composing
rules
    - Wildcard rules allowing all unspecified attributes through with no
filtering

- Assertion Export
        - Oversized header replaced with Shib-Assertion-Count and
Shib-Assertion-NN headers
                containing local URL to fetch SAML assertion using HTTP GET

- Enhanced Spoofing Detection
        - Detects and blocks client headers that would match known attribute
headers

- ODBC Clustering Support
        - Only tested against Microsoft SQL Server using MS and FreeDTS ODBC
drivers

- RequestMap enhancements
    - Regular expression matching for hosts and paths
    - Query string parameter matching

- Error handling enhancements
    - Reporting of SAML status errors
    - Optional redirection to custom error handler

- Apache module enhancements
    - "OR" coexistence with other authorization modules
    - htaccess-based override of any valid RequestMap property 

- Command line tools
    - samlsign for manual XML signing and verification
    - mdquery for interrogating via metadata configuration
    - resolvertest for exercising attribute extraction, filtering, and
resolution

------

Not Yet Supported

- Migrating 1.3 configuration files

------