6 NOTE: The shibboleth2.xml configuration format in this release
7 is fully compatible with the 2.1 and 2.2 releases, but there are some small
8 changes required to eliminate various warnings about deprecated options.
10 List of issues addressed by this release:
11 https://bugs.internet2.edu/jira/browse/SSPCPP/fixforversion/10271
15 - SAML 1.0, 1.1, 2.0 Single Sign-On
16 - Shibboleth 1.x request profile
17 - 1.x POST/Artifact profiles
18 - 2.0 HTTP-Redirect/POST/POST-SimpleSign/Artifact/PAOS bindings
20 - SAML 1.0, 1.1, 2.0 Attribute Query via Attribute Resolver plugin
23 - SAML 2.0 Single Logout
24 - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
25 - Front and back-channel application notification of logout
26 - Race detection of late arriving assertions
28 - SAML 2.0 NameID Management (IdP-initiated only)
29 - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
30 - Front and back-channel application notification of changes
32 - ADFS WS-Federation Support
34 - experimental support for SAML 2.0 assertions
36 - Shibboleth WAYF and SAML DS protocols for IdP Discovery
39 - Bulk resolution via local file, or URL with local file backup
40 - Dynamic resolution and caching based on entityID
41 - Filtering based on whitelist, blacklist, or signature verification
42 - Support for enhanced PKI processing in transport and signature verification
44 - Metadata Generation Handler
45 - Generates and optionally signs SAML metadata based on SP configuration
48 - Reports on status and configuration of SP
51 - Dumps information about an active session
54 - Explicit key and PKIX engines via metadata, superset compatible with 1.3
55 - PKIX trust engine with static root list
57 - Configurable per-endpoint Security Policy rules
58 - Replay and freshness detection
60 - Simple "blob" signing
61 - TLS X.509 certificate authentication
62 - SAML condition handling
64 - Client transport authentication to SOAP endpoints via libcurl
65 - TLS X.509 client certificates
67 - Digest-Auth (untested)
71 - All incoming SAML 2 encrypted element types (Assertion, NameID, Attribute)
72 - Optional outgoing encryption of NameID in requests and responses
75 - Decoding and exporting SAML 1 and 2 attributes
77 - Value/scope pairs (legacy and value@scope syntaxes supported)
79 - XML to base64-encoded XML
80 - DOM to internal data structure
81 - KeyInfo-based data, including metadata-derived KeyDescriptors
82 - Metadata EntityAttributes extension "tags"
85 - Policy language compatible with IdP filtering, except that references
86 only work within policy files, not across them
87 - Rules based on, attribute issuer, requester, scope, and value, authentication
88 method, based on exact string and regular expressions.
89 - Boolean functions supporting AND, OR, and NOT for use in composing rules
90 - Wildcard rules allowing all unspecified attributes through with no filtering
93 - Oversized header replaced with Shib-Assertion-Count and Shib-Assertion-NN headers
94 containing local URL to fetch SAML assertion using HTTP GET
96 - Enhanced Spoofing Detection
97 - Detects and blocks client headers that would match known attribute headers
98 - Key-based mechanism to handle internal server redirection while maintaining protection
100 - ODBC Clustering Support
101 - Tested against a few different servers with various drivers
103 - RequestMap enhancements
104 - Regular expression matching for hosts and paths
105 - Query string parameter matching
107 - Error handling enhancements
108 - Reporting of SAML status errors
109 - Optional redirection to custom error handler
111 - Form POST data preservation
112 - Support on Apache for preserving URL-encoded form data across SSO
114 - Apache module enhancements
115 - "OR" coexistence with other authorization modules
116 - htaccess-based override of any valid RequestMap property
119 - samlsign for manual XML signing and verification
120 - mdquery for interrogating via metadata configuration
121 - resolvertest for exercising attribute extraction, filtering, and resolution
123 - Migrating 1.3 core configuration file
124 - Stylesheet can handle some common options