1 Shibboleth Native SP Release Notes
3 ---------------------------------------------------------------------
4 This release is dedicated to our friend RL 'Bob' Morgan, who passed
5 in 2012, and without which the Shibboleth Project would not have come
8 http://shibboleth.net/community/news/20120717.html
9 ---------------------------------------------------------------------
11 Fix/Enhancement Lists:
12 https://wiki.shibboleth.net/confluence/display/DEV/SPRoadmap
15 https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationChanges
18 https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPInterestingFeatures
20 NOTE: The shibboleth2.xml configuration format in this release
21 is fully compatible with the 2.x releases, but there are significant
22 new options available to simplify the majority of configurations.
23 A stripped down default configuration and a "full" example file are
28 - SAML 1.0, 1.1, 2.0 Single Sign-On
29 - Shibboleth 1.x request profile
30 - 1.x POST/Artifact profiles
31 - 2.0 HTTP-Redirect/POST/POST-SimpleSign/Artifact/PAOS bindings
33 - SAML 1.0, 1.1, 2.0 Attribute Query via Attribute Resolver plugin
36 - SAML 2.0 Single Logout
37 - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
38 - Front and back-channel application notification of logout
39 - Race detection of late arriving assertions
41 - SAML 2.0 NameID Management (IdP-initiated only)
42 - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
43 - Front and back-channel application notification of changes
45 - ADFS WS-Federation Support
47 - experimental support for SAML 2.0 assertions
49 - Shibboleth WAYF and SAML DS protocols for IdP Discovery
50 - Generates JSON feed of IdPs using UIInfo metadata extensions
53 - Bulk resolution via local file, or URL with local file backup
54 - Dynamic resolution and caching based on entityID or MDX
55 - Filtering based on whitelist, blacklist, or signature verification
56 - Support for enhanced PKI processing in transport and signature verification
58 - Metadata Generation Handler
59 - Generates and optionally signs SAML metadata based on SP configuration
62 - Reports on status and configuration of SP
65 - Dumps information about an active session
68 - Explicit key and PKIX engines via metadata, superset compatible with 1.3
69 - PKIX trust engine with static root list
71 - Configurable per-endpoint Security Policy rules
72 - Replay and freshness detection
74 - Simple "blob" signing
75 - TLS X.509 certificate authentication
76 - SAML condition handling, including delegation support
78 - Client transport authentication to SOAP endpoints via libcurl
79 - TLS X.509 client certificates
81 - Digest-Auth (untested)
85 - All incoming SAML 2 encrypted element types (Assertion, NameID, Attribute)
86 - Optional outgoing encryption of NameID in requests and responses
89 - Black/whitelisting of XML security algorithms (with xml-security 1.6+)
90 - RSA and ECDSA signatures (EC requires xml-security 1.6+ and support from openssl)
91 - AES-GCM encryption (requires xml-security 1.7+ and support from openssl)
92 - Metadata-based algorithm selection
95 - Decoding and exporting SAML 1 and 2 attributes
97 - Value/scope pairs (legacy and value@scope syntaxes supported)
100 - XML to base64-encoded XML
101 - DOM to internal data structure
102 - KeyInfo-based data, including metadata-derived KeyDescriptors
103 - Metadata EntityAttributes extension "tags"
105 - Attribute Filtering
106 - Policy language compatible with IdP filtering, except that references
107 only work within policy files, not across them
108 - Rules based on, attribute issuer, requester, scope, and value, authentication
109 method, based on exact string and regular expressions.
110 - Boolean functions supporting AND, OR, and NOT for use in composing rules
111 - Wildcard rules allowing all unspecified attributes through with no filtering
114 - Oversized header replaced with Shib-Assertion-Count and Shib-Assertion-NN headers
115 containing local URL to fetch SAML assertion using HTTP GET
117 - Enhanced Spoofing Detection
118 - Detects and blocks client headers that would match known attribute headers
119 - Key-based mechanism to handle internal server redirection while maintaining protection
121 - ODBC Clustering Support
122 - Tested against a few different servers with various drivers
124 - RequestMap enhancements
125 - Regular expression matching for hosts and paths
126 - Query string parameter matching
128 - Error handling enhancements
129 - Reporting of SAML status errors
130 - Optional redirection to custom error handler
132 - Form POST data preservation
133 - Support on Apache for preserving URL-encoded form data across SSO
135 - Apache module enhancements
136 - Apache 2.4 support including authz
137 - "OR" coexistence with other authz modules on older Apache
138 - htaccess-based override of any valid RequestMap property
139 - htaccess support for external access control plugins
142 - samlsign for manual XML signing and verification
143 - mdquery for interrogating via metadata configuration
144 - resolvertest for exercising attribute extraction, filtering, and resolution