-Release Notes
+Shibboleth Native SP Release Notes
-Shibboleth Native SP
-2.0alpha2
-7/13/2007
+Fix/Enhancement Lists:
+https://wiki.shibboleth.net/confluence/display/DEV/SPRoadmap
-Fully Supported (no major changes planned prior to stable release)
+Important Changes:
+https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationChanges
+
+Feature Highlights:
+https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPInterestingFeatures
+
+NOTE: The shibboleth2.xml configuration format in this release
+is fully compatible with the 2.x releases, but there are significant
+new options available to simplify the majority of configurations.
+A stripped down default configuration and a "full" example file are
+included.
+
+Fully Supported
- SAML 1.0, 1.1, 2.0 Single Sign-On
- Shibboleth 1.x request profile
- 1.x POST/Artifact profiles
- - 2.0 HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
+ - 2.0 HTTP-Redirect/POST/POST-SimpleSign/Artifact/PAOS bindings
- SAML 1.0, 1.1, 2.0 Attribute Query via Attribute Resolver plugin
- SAML SOAP binding
+- SAML 2.0 Single Logout
+ - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
+ - Front and back-channel application notification of logout
+ - Race detection of late arriving assertions
+
+- SAML 2.0 NameID Management (IdP-initiated only)
+ - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
+ - Front and back-channel application notification of changes
+
+- ADFS WS-Federation Support
+ - SSO and SLO
+ - experimental support for SAML 2.0 assertions
+
- Shibboleth WAYF and SAML DS protocols for IdP Discovery
+ - Generates JSON feed of IdPs using UIInfo metadata extensions
- Metadata Providers
- Bulk resolution via local file, or URL with local file backup
- - Filtering based on whitelist, blacklist, or signature verification
+ - Dynamic resolution and caching based on entityID or MDX
+ - Filtering based on whitelist, blacklist, or signature verification
+ - Support for enhanced PKI processing in transport and signature verification
+
+- Metadata Generation Handler
+ - Generates and optionally signs SAML metadata based on SP configuration
+
+- Status Handler
+ - Reports on status and configuration of SP
+
+- Session Handler
+ - Dumps information about an active session
- Trust Engines
- - Explicit key via metadata and PKIX engines, superset compatible with 1.3
+ - Explicit key and PKIX engines via metadata, superset compatible with 1.3
+ - PKIX trust engine with static root list
- Configurable per-endpoint Security Policy rules
- - SAML 1/2 message processing
- Replay and freshness detection
- XML signing
- Simple "blob" signing
- - TLS client certificates
+ - TLS X.509 certificate authentication
+ - SAML condition handling, including delegation support
-- Client transport authentication to SOAP endpoints
- - TLS client certificates
+- Client transport authentication to SOAP endpoints via libcurl
+ - TLS X.509 client certificates
- Basic-Auth
- - Digest-Auth
- - NTLM
+ - Digest-Auth (untested)
+ - NTLM (untested)
- Encryption
- All incoming SAML 2 encrypted element types (Assertion, NameID, Attribute)
- Optional outgoing encryption of NameID in requests and responses
+- General Security
+ - Black/whitelisting of XML security algorithms (with xml-security 1.6+)
+ - RSA and ECDSA signatures (EC requires xml-security 1.6+ and support from openssl)
+ - AES-GCM encryption (requires xml-security 1.7+ and support from openssl)
+ - Metadata-based algorithm selection
+
- Attributes
- Decoding and exporting SAML 1 and 2 attributes
- Strings
- Value/scope pairs (legacy and value@scope syntaxes supported)
- NameIDs
+ - Base64 to string
+ - XML to base64-encoded XML
+ - DOM to internal data structure
+ - KeyInfo-based data, including metadata-derived KeyDescriptors
+ - Metadata EntityAttributes extension "tags"
- Attribute Filtering
- Policy language compatible with IdP filtering, except that references
- Enhanced Spoofing Detection
- Detects and blocks client headers that would match known attribute headers
+ - Key-based mechanism to handle internal server redirection while maintaining protection
- ODBC Clustering Support
- - Only tested against Microsoft SQL Server using MS and FreeDTS ODBC drivers
-
-------
-
-Partially Supported (lightly or untested, probably contain bugs, may change significantly)
+ - Tested against a few different servers with various drivers
-- SAML 2.0 Single Logout and Local-Only Logout
- - Full support implemented but untested and unlikely to work
- - Race detection to prevent late arriving assertions not yet implemented
- - Front channel application notification implemented but intested
- - Back channel application notification not yet implemented
+- RequestMap enhancements
+ - Regular expression matching for hosts and paths
+ - Query string parameter matching
-------
+- Error handling enhancements
+ - Reporting of SAML status errors
+ - Optional redirection to custom error handler
-Not Yet Supported
+- Form POST data preservation
+ - Support on Apache for preserving URL-encoded form data across SSO
-- ADFS / WS-Federation Support
-- Upgrade installations on Windows
-- Migrating 1.3 configuration files
+- Apache module enhancements
+ - Apache 2.4 support including authz
+ - "OR" coexistence with other authz modules on older Apache
+ - htaccess-based override of any valid RequestMap property
+ - htaccess support for external access control plugins
-------
+- Command line tools
+ - samlsign for manual XML signing and verification
+ - mdquery for interrogating via metadata configuration
+ - resolvertest for exercising attribute extraction, filtering, and resolution