Release Notes
Shibboleth Native SP
-2.0alpha2
-7/13/2007
+2.0RC1
+1/23/2007
+
+NOTE: The shibboleth2.xml configuration format in this release
+is not compatible with earlier releases. Please start from scratch
+or manually copy settings over. This version will remain compatible
+with the final release.
Fully Supported (no major changes planned prior to stable release)
- SAML 1.0, 1.1, 2.0 Single Sign-On
- Shibboleth 1.x request profile
- 1.x POST/Artifact profiles
- - 2.0 HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
+ - 2.0 HTTP-Redirect/POST/POST-SimpleSign/Artifact/PAOS bindings
- SAML 1.0, 1.1, 2.0 Attribute Query via Attribute Resolver plugin
- SAML SOAP binding
+- SAML 2.0 Single Logout
+ - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
+ - Front and back-channel application notification of logout
+ - Race detection of late arriving assertions
+
+- SAML 2.0 NameID Management (IdP-initiated only)
+ - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
+ - Front and back-channel application notification of changes
+
+- ADFS WS-Federation Support
+ - SSO and SLO
+
- Shibboleth WAYF and SAML DS protocols for IdP Discovery
- Metadata Providers
- Bulk resolution via local file, or URL with local file backup
+ - Dynamic resolution and caching based on entityID
- Filtering based on whitelist, blacklist, or signature verification
+- Metadata Generation Handler
+ - Generates and optionally signs SAML metadata based on SP configuration
+
+- Status Handler
+ - Reports on status and configuration of SP
+
+- Session Handler
+ - Dumps information about an active session
+
- Trust Engines
- - Explicit key via metadata and PKIX engines, superset compatible with 1.3
+ - Explicit key and PKIX engines via metadata, superset compatible with 1.3
+ - PKIX trust engine with static root list
- Configurable per-endpoint Security Policy rules
- - SAML 1/2 message processing
- Replay and freshness detection
- XML signing
- Simple "blob" signing
- - TLS client certificates
+ - TLS X.509 certificate authentication
- Client transport authentication to SOAP endpoints
- - TLS client certificates
+ - TLS X.509 client certificates
- Basic-Auth
- Digest-Auth
- NTLM
- ODBC Clustering Support
- Only tested against Microsoft SQL Server using MS and FreeDTS ODBC drivers
-------
+- RequestMap enhancements
+ - Regular expression matching for hosts and paths
+ - Query string parameter matching
+
+- Error handling enhancements
+ - Reporting of SAML status errors
+ - Optional redirection to custom error handler
-Partially Supported (lightly or untested, probably contain bugs, may change significantly)
+- Apache module enhancements
+ - "OR" coexistence with other authorization modules
+ - htaccess-based override of any valid RequestMap property
-- SAML 2.0 Single Logout and Local-Only Logout
- - Full support implemented but untested and unlikely to work
- - Race detection to prevent late arriving assertions not yet implemented
- - Front channel application notification implemented but intested
- - Back channel application notification not yet implemented
+- Command line tools
+ - samlsign for manual XML signing and verification
+ - mdquery for interrogating via metadata configuration
+ - resolvertest for exercising attribute extraction, filtering, and resolution
------
Not Yet Supported
-- ADFS / WS-Federation Support
-- Upgrade installations on Windows
- Migrating 1.3 configuration files
------