Release Notes
Shibboleth Native SP
-2.0RC1
-1/23/2007
+2.3.1
-Fully Supported (no major changes planned prior to stable release)
+NOTE: The shibboleth2.xml configuration format in this release
+is fully compatible with the 2.1 and 2.2 releases, but there are some small
+changes required to eliminate various warnings about deprecated options.
+
+List of issues addressed by this release:
+https://bugs.internet2.edu/jira/browse/SSPCPP/fixforversion/10271
+
+Fully Supported
- SAML 1.0, 1.1, 2.0 Single Sign-On
- Shibboleth 1.x request profile
- ADFS WS-Federation Support
- SSO and SLO
+ - experimental support for SAML 2.0 assertions
- Shibboleth WAYF and SAML DS protocols for IdP Discovery
- Metadata Providers
- Bulk resolution via local file, or URL with local file backup
- Dynamic resolution and caching based on entityID
- - Filtering based on whitelist, blacklist, or signature verification
+ - Filtering based on whitelist, blacklist, or signature verification
+ - Support for enhanced PKI processing in transport and signature verification
- Metadata Generation Handler
- Generates and optionally signs SAML metadata based on SP configuration
- XML signing
- Simple "blob" signing
- TLS X.509 certificate authentication
+ - SAML condition handling
-- Client transport authentication to SOAP endpoints
+- Client transport authentication to SOAP endpoints via libcurl
- TLS X.509 client certificates
- Basic-Auth
- - Digest-Auth
- - NTLM
+ - Digest-Auth (untested)
+ - NTLM (untested)
- Encryption
- All incoming SAML 2 encrypted element types (Assertion, NameID, Attribute)
- Strings
- Value/scope pairs (legacy and value@scope syntaxes supported)
- NameIDs
+ - XML to base64-encoded XML
+ - DOM to internal data structure
+ - KeyInfo-based data, including metadata-derived KeyDescriptors
+ - Metadata EntityAttributes extension "tags"
- Attribute Filtering
- Policy language compatible with IdP filtering, except that references
- Enhanced Spoofing Detection
- Detects and blocks client headers that would match known attribute headers
+ - Key-based mechanism to handle internal server redirection while maintaining protection
- ODBC Clustering Support
- - Only tested against Microsoft SQL Server using MS and FreeDTS ODBC drivers
+ - Tested against a few different servers with various drivers
- RequestMap enhancements
- Regular expression matching for hosts and paths
- Reporting of SAML status errors
- Optional redirection to custom error handler
+- Form POST data preservation
+ - Support on Apache for preserving URL-encoded form data across SSO
+
- Apache module enhancements
- "OR" coexistence with other authorization modules
- htaccess-based override of any valid RequestMap property
- mdquery for interrogating via metadata configuration
- resolvertest for exercising attribute extraction, filtering, and resolution
-------
-
-Not Yet Supported
-
-- Migrating 1.3 configuration files
-
-------
+- Migrating 1.3 core configuration file
+ - Stylesheet can handle some common options