Release Notes Shibboleth Native SP 2.3.1 NOTE: The shibboleth2.xml configuration format in this release is fully compatible with the 2.1 and 2.2 releases, but there are some small changes required to eliminate various warnings about deprecated options. List of issues addressed by this release: https://bugs.internet2.edu/jira/browse/SSPCPP/fixforversion/10271 Fully Supported - SAML 1.0, 1.1, 2.0 Single Sign-On - Shibboleth 1.x request profile - 1.x POST/Artifact profiles - 2.0 HTTP-Redirect/POST/POST-SimpleSign/Artifact/PAOS bindings - SAML 1.0, 1.1, 2.0 Attribute Query via Attribute Resolver plugin - SAML SOAP binding - SAML 2.0 Single Logout - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings - Front and back-channel application notification of logout - Race detection of late arriving assertions - SAML 2.0 NameID Management (IdP-initiated only) - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings - Front and back-channel application notification of changes - ADFS WS-Federation Support - SSO and SLO - experimental support for SAML 2.0 assertions - Shibboleth WAYF and SAML DS protocols for IdP Discovery - Metadata Providers - Bulk resolution via local file, or URL with local file backup - Dynamic resolution and caching based on entityID - Filtering based on whitelist, blacklist, or signature verification - Support for enhanced PKI processing in transport and signature verification - Metadata Generation Handler - Generates and optionally signs SAML metadata based on SP configuration - Status Handler - Reports on status and configuration of SP - Session Handler - Dumps information about an active session - Trust Engines - Explicit key and PKIX engines via metadata, superset compatible with 1.3 - PKIX trust engine with static root list - Configurable per-endpoint Security Policy rules - Replay and freshness detection - XML signing - Simple "blob" signing - TLS X.509 certificate authentication - SAML condition handling - Client transport authentication to SOAP endpoints via libcurl - TLS X.509 client certificates - Basic-Auth - Digest-Auth (untested) - NTLM (untested) - Encryption - All incoming SAML 2 encrypted element types (Assertion, NameID, Attribute) - Optional outgoing encryption of NameID in requests and responses - Attributes - Decoding and exporting SAML 1 and 2 attributes - Strings - Value/scope pairs (legacy and value@scope syntaxes supported) - NameIDs - XML to base64-encoded XML - DOM to internal data structure - KeyInfo-based data, including metadata-derived KeyDescriptors - Metadata EntityAttributes extension "tags" - Attribute Filtering - Policy language compatible with IdP filtering, except that references only work within policy files, not across them - Rules based on, attribute issuer, requester, scope, and value, authentication method, based on exact string and regular expressions. - Boolean functions supporting AND, OR, and NOT for use in composing rules - Wildcard rules allowing all unspecified attributes through with no filtering - Assertion Export - Oversized header replaced with Shib-Assertion-Count and Shib-Assertion-NN headers containing local URL to fetch SAML assertion using HTTP GET - Enhanced Spoofing Detection - Detects and blocks client headers that would match known attribute headers - Key-based mechanism to handle internal server redirection while maintaining protection - ODBC Clustering Support - Tested against a few different servers with various drivers - RequestMap enhancements - Regular expression matching for hosts and paths - Query string parameter matching - Error handling enhancements - Reporting of SAML status errors - Optional redirection to custom error handler - Form POST data preservation - Support on Apache for preserving URL-encoded form data across SSO - Apache module enhancements - "OR" coexistence with other authorization modules - htaccess-based override of any valid RequestMap property - Command line tools - samlsign for manual XML signing and verification - mdquery for interrogating via metadata configuration - resolvertest for exercising attribute extraction, filtering, and resolution - Migrating 1.3 core configuration file - Stylesheet can handle some common options