Release Notes Shibboleth Native SP 2.0RC1 1/23/2007 NOTE: The shibboleth2.xml configuration format in this release is not compatible with earlier releases. Please start from scratch or manually copy settings over. This version will remain compatible with the final release. Fully Supported (no major changes planned prior to stable release) - SAML 1.0, 1.1, 2.0 Single Sign-On - Shibboleth 1.x request profile - 1.x POST/Artifact profiles - 2.0 HTTP-Redirect/POST/POST-SimpleSign/Artifact/PAOS bindings - SAML 1.0, 1.1, 2.0 Attribute Query via Attribute Resolver plugin - SAML SOAP binding - SAML 2.0 Single Logout - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings - Front and back-channel application notification of logout - Race detection of late arriving assertions - SAML 2.0 NameID Management (IdP-initiated only) - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings - Front and back-channel application notification of changes - ADFS WS-Federation Support - SSO and SLO - Shibboleth WAYF and SAML DS protocols for IdP Discovery - Metadata Providers - Bulk resolution via local file, or URL with local file backup - Dynamic resolution and caching based on entityID - Filtering based on whitelist, blacklist, or signature verification - Metadata Generation Handler - Generates and optionally signs SAML metadata based on SP configuration - Status Handler - Reports on status and configuration of SP - Session Handler - Dumps information about an active session - Trust Engines - Explicit key and PKIX engines via metadata, superset compatible with 1.3 - PKIX trust engine with static root list - Configurable per-endpoint Security Policy rules - Replay and freshness detection - XML signing - Simple "blob" signing - TLS X.509 certificate authentication - Client transport authentication to SOAP endpoints - TLS X.509 client certificates - Basic-Auth - Digest-Auth - NTLM - Encryption - All incoming SAML 2 encrypted element types (Assertion, NameID, Attribute) - Optional outgoing encryption of NameID in requests and responses - Attributes - Decoding and exporting SAML 1 and 2 attributes - Strings - Value/scope pairs (legacy and value@scope syntaxes supported) - NameIDs - Attribute Filtering - Policy language compatible with IdP filtering, except that references only work within policy files, not across them - Rules based on, attribute issuer, requester, scope, and value, authentication method, based on exact string and regular expressions. - Boolean functions supporting AND, OR, and NOT for use in composing rules - Wildcard rules allowing all unspecified attributes through with no filtering - Assertion Export - Oversized header replaced with Shib-Assertion-Count and Shib-Assertion-NN headers containing local URL to fetch SAML assertion using HTTP GET - Enhanced Spoofing Detection - Detects and blocks client headers that would match known attribute headers - ODBC Clustering Support - Only tested against Microsoft SQL Server using MS and FreeDTS ODBC drivers - RequestMap enhancements - Regular expression matching for hosts and paths - Query string parameter matching - Error handling enhancements - Reporting of SAML status errors - Optional redirection to custom error handler - Apache module enhancements - "OR" coexistence with other authorization modules - htaccess-based override of any valid RequestMap property - Command line tools - samlsign for manual XML signing and verification - mdquery for interrogating via metadata configuration - resolvertest for exercising attribute extraction, filtering, and resolution ------ Not Yet Supported - Migrating 1.3 configuration files ------