Release Notes
Shibboleth Native SP
-2.0beta1
-9/15/2007
+2.0
+3/17/2008
-Fully Supported (no major changes planned prior to stable release)
+NOTE: The shibboleth2.xml configuration format in this release
+is compatible with the RC1 release. Upgrading from earlier
+releases is NOT supported without replacing the configuration
+file and reapplying changes.
+
+Fully Supported
- SAML 1.0, 1.1, 2.0 Single Sign-On
- Shibboleth 1.x request profile
- 1.x POST/Artifact profiles
- - 2.0 HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
+ - 2.0 HTTP-Redirect/POST/POST-SimpleSign/Artifact/PAOS bindings
- SAML 1.0, 1.1, 2.0 Attribute Query via Attribute Resolver plugin
- SAML SOAP binding
- Front and back-channel application notification of logout
- Race detection of late arriving assertions
+- SAML 2.0 NameID Management (IdP-initiated only)
+ - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
+ - Front and back-channel application notification of changes
+
- ADFS WS-Federation Support
- SSO and SLO
+ - experimental support for SAML 2.0 assertions
- Shibboleth WAYF and SAML DS protocols for IdP Discovery
- Dynamic resolution and caching based on entityID
- Filtering based on whitelist, blacklist, or signature verification
+- Metadata Generation Handler
+ - Generates and optionally signs SAML metadata based on SP configuration
+
+- Status Handler
+ - Reports on status and configuration of SP
+
+- Session Handler
+ - Dumps information about an active session
+
- Trust Engines
- Explicit key and PKIX engines via metadata, superset compatible with 1.3
- PKIX trust engine with static root list
- Simple "blob" signing
- TLS X.509 certificate authentication
-- Client transport authentication to SOAP endpoints
+- Client transport authentication to SOAP endpoints via libcurl
- TLS X.509 client certificates
- Basic-Auth
- - Digest-Auth
- - NTLM
+ - Digest-Auth (untested)
+ - NTLM (untested)
- Encryption
- All incoming SAML 2 encrypted element types (Assertion, NameID, Attribute)
- Enhanced Spoofing Detection
- Detects and blocks client headers that would match known attribute headers
+ - Does not support Apache mod_rewrite, but can be disabled when necessary
- ODBC Clustering Support
- - Only tested against Microsoft SQL Server using MS and FreeDTS ODBC drivers
+ - Tested against a few different servers with various drivers
- RequestMap enhancements
- Regular expression matching for hosts and paths
- mdquery for interrogating via metadata configuration
- resolvertest for exercising attribute extraction, filtering, and resolution
-------
-
-Not Yet Supported
-
-- Metadata generation
-- Status handler
-- Embedded discovery UI
-- Upgrade installations on Windows
-- Migrating 1.3 configuration files
-- NameID management
-
-------
+- Migrating 1.3 core configuration file
+ - Stylesheet can handle some common options