6 NOTE: The shibboleth2.xml configuration format in this release
7 is fully compatible with the 2.x releases, but there are significant
8 new options available to simplify the majority of configurations.
9 A stripped down default configuration and a "full" example file are
12 List of issues addressed by this release:
13 https://bugs.internet2.edu/jira/secure/ReleaseNote.jspa?projectId=10011&version=10273
17 - SAML 1.0, 1.1, 2.0 Single Sign-On
18 - Shibboleth 1.x request profile
19 - 1.x POST/Artifact profiles
20 - 2.0 HTTP-Redirect/POST/POST-SimpleSign/Artifact/PAOS bindings
22 - SAML 1.0, 1.1, 2.0 Attribute Query via Attribute Resolver plugin
25 - SAML 2.0 Single Logout
26 - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
27 - Front and back-channel application notification of logout
28 - Race detection of late arriving assertions
30 - SAML 2.0 NameID Management (IdP-initiated only)
31 - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
32 - Front and back-channel application notification of changes
34 - ADFS WS-Federation Support
36 - experimental support for SAML 2.0 assertions
38 - Shibboleth WAYF and SAML DS protocols for IdP Discovery
39 - Generates JSON feed of IdPs using UIInfo metadata extensions
42 - Bulk resolution via local file, or URL with local file backup
43 - Dynamic resolution and caching based on entityID or MDX
44 - Filtering based on whitelist, blacklist, or signature verification
45 - Support for enhanced PKI processing in transport and signature verification
47 - Metadata Generation Handler
48 - Generates and optionally signs SAML metadata based on SP configuration
51 - Reports on status and configuration of SP
54 - Dumps information about an active session
57 - Explicit key and PKIX engines via metadata, superset compatible with 1.3
58 - PKIX trust engine with static root list
60 - Configurable per-endpoint Security Policy rules
61 - Replay and freshness detection
63 - Simple "blob" signing
64 - TLS X.509 certificate authentication
65 - SAML condition handling, including delegation support
67 - Client transport authentication to SOAP endpoints via libcurl
68 - TLS X.509 client certificates
70 - Digest-Auth (untested)
74 - All incoming SAML 2 encrypted element types (Assertion, NameID, Attribute)
75 - Optional outgoing encryption of NameID in requests and responses
78 - Black/whitelisting of XML security algorithms (with xml-security 1.6+)
79 - RSA and ECDSA signatures (EC requires xml-security 1.6+ and support from openssl)
80 - Metadata-based algorithm selection
83 - Decoding and exporting SAML 1 and 2 attributes
85 - Value/scope pairs (legacy and value@scope syntaxes supported)
88 - XML to base64-encoded XML
89 - DOM to internal data structure
90 - KeyInfo-based data, including metadata-derived KeyDescriptors
91 - Metadata EntityAttributes extension "tags"
94 - Policy language compatible with IdP filtering, except that references
95 only work within policy files, not across them
96 - Rules based on, attribute issuer, requester, scope, and value, authentication
97 method, based on exact string and regular expressions.
98 - Boolean functions supporting AND, OR, and NOT for use in composing rules
99 - Wildcard rules allowing all unspecified attributes through with no filtering
102 - Oversized header replaced with Shib-Assertion-Count and Shib-Assertion-NN headers
103 containing local URL to fetch SAML assertion using HTTP GET
105 - Enhanced Spoofing Detection
106 - Detects and blocks client headers that would match known attribute headers
107 - Key-based mechanism to handle internal server redirection while maintaining protection
109 - ODBC Clustering Support
110 - Tested against a few different servers with various drivers
112 - RequestMap enhancements
113 - Regular expression matching for hosts and paths
114 - Query string parameter matching
116 - Error handling enhancements
117 - Reporting of SAML status errors
118 - Optional redirection to custom error handler
120 - Form POST data preservation
121 - Support on Apache for preserving URL-encoded form data across SSO
123 - Apache module enhancements
124 - "OR" coexistence with other authorization modules
125 - htaccess-based override of any valid RequestMap property
126 - htaccess support for external access control plugins
129 - samlsign for manual XML signing and verification
130 - mdquery for interrogating via metadata configuration
131 - resolvertest for exercising attribute extraction, filtering, and resolution
133 - Migrating 1.3 core configuration file
134 - Stylesheet can handle some common options