+++ /dev/null
-9/1/05
-Version 1.3a
-
-Fix for secadv 20050901
-
-7/15/05
-Version 1.3
-
-See http://shibboleth.internet2.edu for details of this
-new major release.
-
-11/15/04
-Version 1.2.1
-
-This release is a fully compatible minor update
-to the Shibboleth 1.2.1 release. It addesses problems
-and small functional gaps identified since the release
-of the previous version.
-
-New features in 1.2
--------------------
-Support for the target software on Mac OS X
-
-Improved target RequestMap handling of web sites
-running on both http and https.
-
-Bug Fixes
----------
-Target build scripts better detect and handle threading
-and RPC issues.
-
-Variety of target race conditions and exceptions in RPC
-and socket handling.
-
-Bugs in assertion condition handling.
-
-Target RequestMap should ignore query strings.
-
-Fixed the library path in Windows resolvertest batch
-file loader.
-
-Fixed a crash in extkeytool program.
-
-Fixed a file descriptor leak in the IdP.
-
-Fixed a bug that prevented the HS from supporting
-multiple SAML Name Identifier formats.
-
-The attribute resolver now retains the order of attribute
-values obtained from data connectors.
-
-The JDBC Data Connector ignores case when mapping
-sourceName to the attribute name.
-
-Minor udpates to documentation.
-
-Rev'd dependant java libraries (Xerces, Commons Pool,
-Commons DBCP)
-
-
--------
-4/30/04
-Version 1.2
-
-This release represents a fully compatible minor update
-to the Shibboleth 1.0 release, and is considered to be
-ready for production use.
-
-New features in 1.2
-
-Origin
------------------
-
-Multi-federation support. Most origin configuration,
-including signing credentials and identifiers, can be
-overriden depending on the recipient of the assertions.
-
-Simplified application architecture. Both origins
-and targets now reference each other using a single
-identifier called a "provider id".
-
-The Attribute Authority can be configured to answer
-requests with multiple SAML Subject formats,
-increasing interoperability with other SAML-based
-software.
-
-Signing credentials can now be loaded from a variety
-of formats, including those commonly used with OpenSSL.
-
-The origin now validates all requests from 1.2+ targets
-against federation metadata.
-
-Compatibility with 1.1 targets using a "legacy" or
-"default" configuration.
-
-Separate logs are created for errors and transaction
-auditing.
-
-Easier logging configuration.
-
-Support is included for pulling attribute data from SQL
-databases using JDBC. The JDBC Data Connector includes
-support for conection pooling and prepared statements.
-
-Mechanism for throttling requests to the Handle Service.
-This improves performance by preventing the server from
-becoming saturated with signing requests. Throttle can
-be adjusted based for servers with more than two CPUs.
-
-Support for signatures on all SAML Assertions and
-Responses, which allows for more interoperability
-with other SAML-based software and profiles.
-
-Attribute Release Policies can contain match functions
-on attribute values. This allows the release of specific
-values based on regular expression.
-
-Support has been added to the Attribute Authority for
-using alternate data connectors in the event of a
-failure.
-
-The resolvertest program can now process and enforce
-Attribute Release Policies.
-
-Updated library dependencies, including OpenSAML and XML
-Security, with substantial performance improvements when
-signing.
-
-Many important bug fixes
-
-
-Target
------------------
-
-New XML-based configuration system supporting runtime
-adjustment of many settings and better integration with
-supplemental configuration files
-
-Ability to partition deployment into "Applications" at the
-vhost, path, or document level
-
-"Lazy" sessions allow applications to redirect browser
-to initiate a session, allowing content to decide it
-needs authentication or attributes at runtime
-
-Flexible support for multi-federation deployment, including
-selection of credentials and authorities based on the request
-and the origin site or federation
-
-Support for more types of key and certificate formats
-
-Improved pluggability for many aspects of system, including
-access control modules
-
-Clearer trace logging and support for a transaction/audit log
-
-Pooling and caching of HTTP and TLS connections to origins
-
-Support for alternative SAML name formats for intra-enterprise
-deployments and better interoperability with SAML products
-
-Support for tailoring attribute query behavior, particularly
-non-fatal failure modes for intelligent applications prepared
-to deal with missing information
-
-Updated library dependencies, including OpenSAML, Xerces parser,
-XML Security, and support for all GCC 3.x compiler versions
-
-Support for Apache 2.0 as well as Apache 1.3 and IIS
-
-Many important bug fixes
--- /dev/null
+Release Notes
+
+Shibboleth Native SP
+2.0alpha2
+7/13/2007
+
+Fully Supported (no major changes planned prior to stable release)
+
+- SAML 1.0, 1.1, 2.0 Single Sign-On
+ - Shibboleth 1.x request profile
+ - 1.x POST/Artifact profiles
+ - 2.0 HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
+
+- SAML 1.0, 1.1, 2.0 Attribute Query via Attribute Resolver plugin
+ - SAML SOAP binding
+
+- Shibboleth WAYF and SAML DS protocols for IdP Discovery
+
+- Metadata Providers
+ - Bulk resolution via local file, or URL with local file backup
+ - Filtering based on whitelist, blacklist, or signature verification
+
+- Trust Engines
+ - Explicit key via metadata and PKIX engines, superset compatible with 1.3
+
+- Configurable per-endpoint Security Policy rules
+ - SAML 1/2 message processing
+ - Replay and freshness detection
+ - XML signing
+ - Simple "blob" signing
+ - TLS client certificates
+
+- Client transport authentication to SOAP endpoints
+ - TLS client certificates
+ - Basic-Auth
+ - Digest-Auth
+ - NTLM
+
+- Encryption
+ - All incoming SAML 2 encrypted element types (Assertion, NameID, Attribute)
+ - Optional outgoing encryption of NameID in requests and responses
+
+- Attributes
+ - Decoding and exporting SAML 1 and 2 attributes
+ - Strings
+ - Value/scope pairs (legacy and value@scope syntaxes supported)
+ - NameIDs
+
+- Attribute Filtering
+ - Policy language compatible with IdP filtering, except that references
+ only work within policy files, not across them
+ - Rules based on, attribute issuer, requester, scope, and value, authentication
+ method, based on exact string and regular expressions.
+ - Boolean functions supporting AND, OR, and NOT for use in composing rules
+ - Wildcard rules allowing all unspecified attributes through with no filtering
+
+- Assertion Export
+ - Oversized header replaced with Shib-Assertion-Count and Shib-Assertion-NN headers
+ containing local URL to fetch SAML assertion using HTTP GET
+
+- Enhanced Spoofing Detection
+ - Detects and blocks client headers that would match known attribute headers
+
+- ODBC Clustering Support
+ - Only tested against Microsoft SQL Server using MS and FreeDTS ODBC drivers
+
+------
+
+Partially Supported (lightly or untested, probably contain bugs, may change significantly)
+
+- SAML 2.0 Single Logout and Local-Only Logout
+ - Full support implemented but untested and unlikely to work
+ - Race detection to prevent late arriving assertions not yet implemented
+ - Front channel application notification implemented but intested
+ - Back channel application notification not yet implemented
+
+------
+
+Not Yet Supported
+
+- ADFS / WS-Federation Support
+- Upgrade installations on Windows
+- Migrating 1.3 configuration files
+
+------
projects / shibboleth / sp.git / commitdiff