From: cantor Date: Thu, 31 Jul 2003 15:04:54 +0000 (+0000) Subject: Updated feature list. X-Git-Tag: 2.4~2179 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fsp.git;a=commitdiff_plain;h=1865515a64bca0fddb7f85656cec5b64daab83dd Updated feature list. Added various fixes. git-svn-id: https://svn.middleware.georgetown.edu/cpp-sp/trunk@681 cb58f699-b61c-0410-a6fe-9272a202ed29 --- diff --git a/doc/DEPLOY-GUIDE-TARGET.html b/doc/DEPLOY-GUIDE-TARGET.html index 7dcc034..fbce309 100644 --- a/doc/DEPLOY-GUIDE-TARGET.html +++ b/doc/DEPLOY-GUIDE-TARGET.html @@ -190,48 +190,53 @@ configuration, but some older commands have been deprecated or replaced.

repositories, and computing the SAML attribute using business rules). This should greatly simplify the process of configuring the AA to support additional general attributes. -
  • An attribute connector for JDBC data sources is now available. - [1.1]
    • +
  • A sample resolver file for using standard LDAP person and inetOrgPerson + attributes is included. [1.1]
  • Support for a runtime-derived per-requester persistent identifier attribute to support anonymous personalization by targets has been added via an attribute plugin. [1.1]
    • -
  • Specialized deployments without privacy needs can configure - identity-based handles interoperable with other SAML deployments. - [1.1]
    • +
  • Specialized sites without privacy needs can configure identity-based + handles interoperable with other SAML deployments. + [1.1]
    • Target
      -
    1. Significantly more flexibility in configuring targets to ensure - robustness. Failover and redundant configurations are now supported.
      2. +
    2. Significantly more flexibility in configuring targets is provided to + ensure robustness. Failover and redundant configurations are now supported.
    3. The SHAR may now optionally store its session and attribute cache in a - back-end database in addition to the previously available in-memory option. - This would allow a site to run an apache server farm, with multiple SHARs, - supporting the same set of sessions.
      4. + back-end database in addition to the previously available in-memory option. + + [1.1]
    4. Federation supplied files (sites.xml and trust.xml) are now refreshed in - a much more robust manner.
      5. + a much more robust manner. +
    5. The SHAR can be configured to request specific attributes from the - Origin.
      6. + Origin.
    6. The SHAR can use TCP sockets when responding to the Apache module, for specialized deployment behind firewalls. [1.1]
    7. Attribute acceptance policies have been greatly enhanced, and are now used to configure all aspects of attribute handling by the target, except for requesting specific attributes by sitename. Adding attributes now takes - place in one configuration step. [1.1]
      8. + place in one configuration step. [1.1]
    8. Support for Apache 1.3 on Windows NT/2000/XP/2003 has been added. - [1.1]
      9. + [1.1]
    9. Microsoft IIS web server support has been added via an ISAPI filter and - extension. [1.1]
      10. + extension. [1.1]
    Miscellaneous
    1. Origin sites can configure a value to describe the type of - authentication mechanism used at the origin site(e.g. password, Kerberos, - PKI, etc.). This value is made available on the target side as Shib-Authentication-Method.
      2. + authentication mechanism used at the origin site (e.g. password, Kerberos, + PKI, etc.). This value is made available on the target side as Shib-Authentication-Method. +
      +
    2. Various improvements to error handling. Origin sites are now able to - supply an error URL and contact information to a federation. When a target - encounters an error, it can include this information in the error page.
      3. -
    3. Local time string values are now used in log files.
      4. + supply an "error URL" and contact information to a federation. When a target + encounters an error, it can include this information in the error page.
      + +
    4. Local time string values are now used in log files.
      +
    5. Internationalization support has been extended.

    Before starting, please sign up for all applicable @@ -270,7 +275,7 @@ tarball for your operating system.

  • Security Considerations
  • Server Certificates
  • Attribute Release Policies
    • -
  • Designate Contacts
    • +
  • Attribute Acceptance Policies
  • Browser Requirements
  • Clocks
  • Other Considerations
    • @@ -520,14 +525,20 @@ and requirements for a successful implementation of a Shibboleth target.

    the sets of attributes that both sites expect to correspond using are congruent.

    -

    2.f. Designate Contacts

    +

    2.f. Attribute Acceptance Policies

    -

    Since Shibboleth deals both with daily technical and operational issues - and also with contractual issues, a set of contacts should be set up to - support the user base and to facilitate interactions with other Shibboleth - sites and federation members. It is recommended that at least technical and - administrative contacts be designated. Names, titles, e-mail addresses, and - phone numbers may all be useful information to provide.

    +

    When a target receives a set of attributes, it must evaluate them in the + context of the Attribute Authority that is providing them, to assess their + "reasonableness". For example, if the value of an attribute is expected to + be from a small set of enumerated choices, the value should be compared + against that list. If a particular attribute or value is only trusted when + asserted by specific origins, that too should be checked.

    +

    Targets are configured to accept specific attributes that they understand + and care about, and are also configured with the rules to apply before + accepting the attributes for use by the RM or an application. Attributes and + values that don't meet the target's requirements are filtered out. The set + of configuration rules to make these decisions is called an Attribute + Acceptance Policy (AAP).

    2.g. Browser Requirements

    @@ -676,12 +687,14 @@ most minor "letter" updates should be usable.

  • Solaris 2.8:
    • - openssl-0.9.7b + openssl-0.9.7

      The shared library version of OpenSSL is required by Shibboleth. The static libraries may be installed as well if necessary for other applications, but cannot be used within - mod_ssl or any other Apache modules.

      + mod_ssl or any other Apache modules. openssl-0.9.7b, the latest + security fix release, has been tested, but any 0.9.7 version + should work.

    • Apache 1.3.27
      @@ -899,17 +912,17 @@ most minor "letter" updates should be usable.

      SHIBCONFIG=/opt/shibboleth/etc/shibboleth/shibboleth.ini
      export SHIBCONFIG

      -

      If the OpenSSL libraries are not in the system's search path, they - should be added to LD_LIBRARY_PATH. Generally - libtool's linker options will insure that the modules can locate the - Shibboleth libraries, but if not, you may need to add - /opt/shibboleth/lib to - LD_LIBRARY_PATH as well.

      If the SHIBCONFIG environment variable is not specified, Shibboleth will use /opt/shibboleth/etc/shibboleth/shibboleth.ini by default.

      On Windows, the installer will set the path and SHIBCONFIG variable for you in the system path, enabling Apache or IIS to be used.

      • +
    • If the OpenSSL libraries are not in the system's search path, they + should be added to LD_LIBRARY_PATH. Generally + libtool's linker options will insure that the modules can locate the + Shibboleth libraries, but if not, you may need to add + /opt/shibboleth/lib to + LD_LIBRARY_PATH as well.
    • The SHAR must be started along with Apache. Among other methods on Unix, this can be done either by creating a separate SHAR startup script or by modifying Apache's RC script to start/stop the @@ -1770,7 +1783,7 @@ most minor "letter" updates should be usable.

      A rule that applies to the origin site AA corresponding to the hostname.

    • -

    <Scope Accept="true|false"> Type="type">

    +

    <Scope Accept="true|false" Type="type">

    Specifies a value to accept or deny, either directly using type literal,