Update doc files

[shibboleth/cpp-sp.git] / doc / RELEASE.txt

Shibboleth Native SP Release Notes

---------------------------------------------------------------------
This release is dedicated to our friend RL 'Bob' Morgan, who passed
in 2012, and without which the Shibboleth Project would not have come
into being.

http://shibboleth.net/community/news/20120717.html
---------------------------------------------------------------------

Fix/Enhancement Lists:
https://wiki.shibboleth.net/confluence/display/DEV/SPRoadmap

Important Changes:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationChanges

Feature Highlights:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPInterestingFeatures

NOTE: The shibboleth2.xml configuration format in this release
is fully compatible with the 2.x releases, but there are significant
new options available to simplify the majority of configurations.
A stripped down default configuration and a "full" example file are
included.

Fully Supported

- SAML 1.0, 1.1, 2.0 Single Sign-On
        - Shibboleth 1.x request profile
        - 1.x POST/Artifact profiles
        - 2.0 HTTP-Redirect/POST/POST-SimpleSign/Artifact/PAOS bindings

- SAML 1.0, 1.1, 2.0 Attribute Query via Attribute Resolver plugin
        - SAML SOAP binding

- SAML 2.0 Single Logout
    - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
    - Front and back-channel application notification of logout
    - Race detection of late arriving assertions

- SAML 2.0 NameID Management (IdP-initiated only)
    - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
    - Front and back-channel application notification of changes

- ADFS WS-Federation Support
    - SSO and SLO
    - experimental support for SAML 2.0 assertions

- Shibboleth WAYF and SAML DS protocols for IdP Discovery
    - Generates JSON feed of IdPs using UIInfo metadata extensions

- Metadata Providers
        - Bulk resolution via local file, or URL with local file backup
        - Dynamic resolution and caching based on entityID or MDX 
        - Filtering based on whitelist, blacklist, or signature verification
        - Support for enhanced PKI processing in transport and signature verification

- Metadata Generation Handler
    - Generates and optionally signs SAML metadata based on SP configuration

- Status Handler
    - Reports on status and configuration of SP
    
- Session Handler
    - Dumps information about an active session 

- Trust Engines
        - Explicit key and PKIX engines via metadata, superset compatible with 1.3
        - PKIX trust engine with static root list
        
- Configurable per-endpoint Security Policy rules
        - Replay and freshness detection
        - XML signing
        - Simple "blob" signing
        - TLS X.509 certificate authentication
        - SAML condition handling, including delegation support

- Client transport authentication to SOAP endpoints via libcurl
        - TLS X.509 client certificates
        - Basic-Auth
        - Digest-Auth (untested)
        - NTLM (untested)

- Encryption
        - All incoming SAML 2 encrypted element types (Assertion, NameID, Attribute)
        - Optional outgoing encryption of NameID in requests and responses

- General Security
    - Black/whitelisting of XML security algorithms (with xml-security 1.6+)
    - RSA and ECDSA signatures (EC requires xml-security 1.6+ and support from openssl)
    - AES-GCM encryption (requires xml-security 1.7+ and support from openssl)
    - Metadata-based algorithm selection 

- Attributes
        - Decoding and exporting SAML 1 and 2 attributes
                - Strings
                - Value/scope pairs (legacy and value@scope syntaxes supported)
                - NameIDs
                - Base64 to string
        - XML to base64-encoded XML
                - DOM to internal data structure
                - KeyInfo-based data, including metadata-derived KeyDescriptors
                - Metadata EntityAttributes extension "tags"

- Attribute Filtering
        - Policy language compatible with IdP filtering, except that references
                only work within policy files, not across them
        - Rules based on, attribute issuer, requester, scope, and value, authentication
                method, based on exact string and regular expressions.
    - Boolean functions supporting AND, OR, and NOT for use in composing rules
    - Wildcard rules allowing all unspecified attributes through with no filtering

- Assertion Export
        - Oversized header replaced with Shib-Assertion-Count and Shib-Assertion-NN headers
                containing local URL to fetch SAML assertion using HTTP GET

- Enhanced Spoofing Detection
        - Detects and blocks client headers that would match known attribute headers
        - Key-based mechanism to handle internal server redirection while maintaining protection

- ODBC Clustering Support
        - Tested against a few different servers with various drivers

- RequestMap enhancements
    - Regular expression matching for hosts and paths
    - Query string parameter matching

- Error handling enhancements
    - Reporting of SAML status errors
    - Optional redirection to custom error handler

- Form POST data preservation
    - Support on Apache for preserving URL-encoded form data across SSO 

- Apache module enhancements
    - Apache 2.4 support including authz 
    - "OR" coexistence with other authz modules on older Apache
    - htaccess-based override of any valid RequestMap property
    - htaccess support for external access control plugins

- Command line tools
    - samlsign for manual XML signing and verification
    - mdquery for interrogating via metadata configuration
    - resolvertest for exercising attribute extraction, filtering, and resolution