As we previewed last week, we have a security patch (V3.3.3) for the IdP coming on Wednesday that impacts CAS deployments and includes a Spring security fix that might affect a very small percentage of deployers on Windows (realistically none, perhaps, but we're erring on the side of caution). The main purpose of the patch is the CAS issue. This is one of the first times we've provided advance notice publically of a security fix, and that seems to be common practice for widely used software these days. Obviously the full details will be available with the patch's release.
We have been finalizing a new project position statement on our plans for supporting the Java platform long term, which you can find under Product Platforms. This addresses a few questions we've gotten lately about support for current and future Java versions, and largely clarifies that we believe our focus should be on supporting so-called Long Term Support (LTS) releases, currently Java 8, and Java 11 later this year. Feedback on this policy proposal can be provided in any of our many communication channels. Uttimately we want and need to support what you need, but we think most people haven't yet really digested what's going on with Java so we're hoping to provide a clear statement to help with any compatibility questions going forward.
Development on SP V3.0 is nearing completion and we have begun a round of internal testing, after which we will provide a beta release once a pass over the documentation is done and basic notes on upgrading are drafted. Some polishing work is left to do on the enhanced Dynamic metadata features but a feature freeze is very close.
The last development update included a planned change to the default configuration filename that has since been rescinded for the final release. Upgrades, particularly via RPM, are much cleaner and more reliable if the shibboleth2.xml filename is left alone, so we're prepared to live with the fallout of leaving it.
A number of planned changes to default settings will be compiled fairly soon and circulated for feedback, particularly in the area of SAML 1.1 and attribute query support, which increasingly create confusion, but final decisions will be open to discussion.
Significant improvements in this upgrade include:
- A newly implemented IIS7+ native module to replace the creaky ISAPI module, including support for REMOTE_USER and non-header Server Variables.
- Stateless clustering, though with even more limitations on logout.
- Substantial fixes and improvements to the Dynamic metadata support, including a LocalDynamic option for consuming IdP metadata fragments from the local file system (the IdP has a similar feature).
- Elimination of Application Overrides for trivial "call the SP something different per virtual host" use cases.
- An experimental feature to define and reference Application Overrides via external files that can be added at runtime.
- Sensible logging defaults for Apache/IIS modules relying on the Event Log (Windows) or syslog (everything else), addressing a range of problems with file permissions and log rotation.
- Updated XML libraries with substantial security and maintenance improvements. Reduces surface area will hopefully prevent certain kinds of likely security bugs from impacting the project.
- An improved build process on Windows, making the delivery of library patches less labor intensive.
- Dropping Solaris support, saving the project an average of $1500-$3000 testing time per release, without factoring in support costs. It adds up.
- Many small and not-so-small bug fixes ( ) Getting issues...
More on a lot of this as the documentation gets cleaned up. Needless to say, the upgrade got bigger as work progressed, and we think this will be a worthy upgrade, with the added bonus that it will be safe and easy to apply to existing systems.
ETA at this point is probably late June depending on testing and feedback. The sooner we get this out, the sooner we can turn full attention back to getting IdP V3.4 completed by this fall.