Skip to end of metadata
Go to start of metadata

Shibboleth Project Work Packages

The following document track the various work packages within the Shibboleth project.

It provides:

  • a high level description of each work package
  • whether the project is being worked on now or will be in the future
  • estimated completion date of the work, assuming a stable level of developer resources
  • the total amount of time, given in person months (PM) each work package is expected to take
  • the amount of time, given in person days (PD) per calendar month, individuals spend working on the package
  • the relationship between packages
Icon

Note, all work packages related to software products include development, testing, packaging, and documentation within their total effort estimates. Total effort estimates however do not include user support time which is covered by a separate work package.

This document does not provide deep technical details of the work going on in any particular software project but it does link to such information when available.

Comments, suggestions, and discussions regarding listed work items should be directed to the developer's mailing list.

Committed Work

The following work items are currently staffed and work is ongoing.

NameCompletionTotalMonthlyDependDescription
Project Overhead and Infrastructureongoingn/aScott:2PD
Brent:1PD
Rod:1PD
Ian:1PD
Tom:1.5PD
 This work package encompasses efforts to "keep the lights on" for the Shibboleth projects. This includes attending teleconferences, face-to-face meetings, core list emails, etc. Also includes ongoing management of the infrastructure, and basic coordination among the team.

Standards Development

ongoingn/aScott:0.5PD
Ian:1PD
 This work package encompasses the effort expended to participate in, and keep track of, specifications from standards bodies such as OASIS, W3C, IETF, Kantara, etc. We have scaled back our efforts here to focus on development work.
User Supportongoingn/aScott:1.5PD
Brent:0.5PD
Rod:0.5PD
Ian:0.5PD
 This work package encompasses the effort spent supporting users of the Shibboleth software through the user mailing list.

OpenSAML-C, version 2, Maintenance

ongoingn/a

Scott:0.5PD

 This work package encompasses the effort in maintaining the C++ OpenSAML stack (the xml-security, xmltooling, opensaml libraries). This includes bug fixes, testing, release preparation and distribution.

Native SP, version 2, Maintenance

ongoingn/a

Scott:0.5PD

OpenSAML-C version 2This work package encompasses the effort in maintaining the 2.x Service Provider product. It includes bug fixes, testing, and release preparation and distribution.

OpenSAML-J, version 2, Maintenance

ongoing, possibly ending 2015n/aBrent:0.5PD This work package encompasses the effort in maintaining the Java OpenSAML stack (the xmltooling, openws, opensaml libraries). This includes bug fixes, testing, release preparation and distribution. This product is in maintenance-only mode, no features will be added.

IdP, version 2, Maintenance

ongoing, possibly ending 2015n/aBrent:1.5PDOpenSAML-J, version 2This work package encompasses the effort in maintaining the V2.x Identity Provider product. It includes bug fixes, testing, and release preparation and distribution.

OpenSAML-J, version 3, Maintenance

ongoingn/aBrent:2PD
Scott:0.5PD
Tom:1.0PD
 This work package encompasses the work of developing the next major version of Java version of OpenSAML. This includes moving to a multi-module maven project, refactoring some code, removing deprecated APIs and addition of new features. More Details >>

IdP, version 3, Maintenance

ongoing Tom:2.5PD
Rod:2.5PD
Scott:2.5PD
OpensAML-J, version 3This work package encompasses the work of developing the next major version of the Identity Provider product. This includes moving to a multi-module maven project, refactoring some code, removing deprecated APIs and addition of new features. More Details >>

Metadata Aggregator, Snapshot Refresh (v0.8.0)

on hold  OpenSAML-J 3 support moduleA refresh of the prerelease Metadata Aggregator to provide a more stable snapshot with some bug fixes for early adopters, who have run into several issues with the existing release that have been fixed already. This would include tagged releases of some supporting libraries.

Metadata Aggregator, version 1.0

on hold3PM OpenSAML-J 3 support moduleSoftware capable of reading in multiple metadata sources, validating and transforming the data, and outputting new metadata documents from the command line or via the Metadata Query Protocol. This work include development, testing, documentation, and release packaging.

Planned Work

Planned projects are work packages accepted by the consortium but which are not yet under development due to lack of resources or unmet preconditions. When committed work packages complete the individuals working on the completed work package will normally pick up the next project from this list.

The following items are listed in order of priority (those at the top being worked on before those at the bottom). The ordering may change depending on available developers.

NameCompletionTotalDependDescription
IdPv3 DocumentationQ2 20152PM Documentation has predictable lagged during the development cycle, and we need to catch up and produce adequate reference and migration material.

Embedded DS Patch / Refresh

Q1 2015<1PM This work package encompasses the effort in releasing a patch update to the EDS to fix bugs and update packaging and libraries. It could include some small feature additions.

Centralized Discovery Service, version 2

Q2 20151.5PM This work package encompasses the work of developing the next major version of the Centralized Discovery Service product. This includes significant internal code refactoring, changes in configuration files to align with the IdP, and production of JSON metadata feed used by the embedded discovery service. More Details >>

Finish IdP Single Logout Implementation

Q3 20151PM

 

This work package encompasses the effort to build an essentially "complete" SAML logout implementation into the IdP that includes both front- and back-channel logout support and some kind of reasonable starting point for a UI that documents for users what services they appear to be logged into after the logout "completes". This would build on the partial implementation in V3, which has a fairly complete framework for the design.

Enhance IdP Consent UI

Q2 20151PM This work package encompasses the effort to extend the consent functionality in V3 to include support for HTML5 local storage.

IdP Delegation Extension

Q2 20151PM

 

The delegation work that was built on top of V2 was not part of the initial V3 release and would need to be ported into a future IdP feature upgrade.
Server MigrationQ4 2015<1PM This work package is to migrate shibboleth.net and all our services to a new system to reduce hosting expenses and upgrade the OS.

Under Discussion

These are projects which have been proposed but which the Consortium has not yet decided to work on. Most estimates here are highly speculative.

NameSkillsTotalDependDescription

Understanding Shib/SAML Documentation

Tech Writing, SME2PM This work package encompasses the effort to develop a good set of documentation that explains SAML, Shibboleth, and Federations at a conceptual level. The intended audience for the documentation is those new to the subject matter.

Enhanced Product Documentation

Tech Writing, SME3PM This work package encompasses the effort to develop a good set of product documentation that explains features more thoroughly and contextually, with examples, and better how-to material that is task focused instead of reference oriented.

Developer Documentation

SME3PM per product This work package encompasses the effort to develop a good set of developer documentation for extension work on Shibboleth products. Documenting the SP and IdP would be separate items.

Infrastructure Documentation

SME1PM We have a lot of infrastructure services, but little formal documentation for them, which will make project transitions much harder.

TestShib, version 3

 2.5PM This work package encompasses the effort to create a new TestShib software package. The current TestShib's registration system was developed by a number of novice programmers over a period of years. This product would involve producing a more supportable test platform and making it a consortium service. This is like to involve more than just programming, but an ongoing investment in supporting it with more than volunteer effort.

IdP User Interface

Java, Javascript IdP V3There are various things that the IdP might expose a UI in order to manage, such as:
  • User-initiated IdP-initiated Single Sign On and Single Log Out
  • User-initiated persistent ID disassociation
  • User-initiated removal of attribute release consent
  • Admin-initiated single logout of user
  • Admin-initiated reload of selected subsystems or metadata sources

SP Feature Update

C++, codebase familiarity2PM This work package encompasses the effort in releasing a feature update to the SP to incorporate a smallish set of new features requested in JIRA, including at least one code contribution from a consortium member. Features considered for inclusion would have to be efforts on the order of a week or less of work. It would not cover the larger feature ideas elsewhere in the roadmap, though this release could include one or more such features if desired.

SP Module for IIS 7+

 1PM This work package encompasses the effort to add a module to the SP that natively supports IIS7+ using the APIs added in the Windows 2008 time frame. The current module for IIS dates back to the original IIS APIs and has various limitations that may be mitigated by adding a newer version, including support for setting server variables instead of request headers, and possibly supporting POST resumption across SSO. It also future proofs the software.

SP Availability in Fedora

RPM packaging  This work package encompasses the effort to produce SP packages compatible with Fedora standards and to get them accepted into the Fedora project. This has unknown implications on Red Hat packaging. This is a request from the Moonshot team.

SP Session Cache Alternatives

C++, codebase familiarity1-2PM The use of server-side sessions is a significant hassle in deploying load-balanced applications behind an SP. Moving that state into a set of encrypted and signed cookies would be a major benefit, but there are likely to be size limitations and it would need to be efficient enough to use on systems with a decent number of requests. A key would be to use it only to populate an in-process cache, and so only affect cross-process requests. IdPv3 has an implementation worth expanding into C++.

In additon, ODBC has proven to be unreliable on Linux (which was expected), so a server-side alternative without the limitations of memcache would be useful to explore.

SP OAuth Implementation

C++, OAuth3-5PM The SP supports web service security using the SAML ECP profile in a manner that supports N-tier delegation. OAuth in its typical form is a simpler mechanism that reinvents cookies and works when N=3 (site accessed by browser wants to access another site). The SP could include an OAuth token flow for protecting access to itself, providing another way of hosting web services with attribute-based authorization. In this model, the SP issues tokens to itself, so there are no interoeprability considerations. Either cookie-like bearer tokens or something stronger could be implemented (taking more time), but in practice no clients are likely to support anything stronger.

SAML-ECP GSS-API Mechanism

C++, GSS-API and SASL10PM Specification of a browser-less GSS-API mechanism for SAML based on ECP is largely complete with stable drafts available. Completion of the drafts depends on implementation feedback. A mechanism would need to be developed in C++ with C linkage to the mechglue layers of at least MIT and Heimdal GSS libraries. Other implementations, such as Java, would also be useful if possible. Some prototype work on this was done by NCSA staff with ISOC funding. This work item refers to productionizing this code under the auspices of the project, and extending it with additional features.

Confluence/Jira Plugins

Java1PM + some ongoing maint. Many sites are using various forks of code originally from the project for SSO integration for Confluence and Jira. The code is maintained sporadically for Confluence, but little is well-supported for JIRA. Since the project is running those products and forced to use those plugins, offering officially supported versions might make sense to help defray the pure overhead of running them internally.

OpenID Connect

Java, C++, OAuth/OIC

2.5PM (Java prototype), 10-12PM (Java comprehensive)

3-4PM (C++ prototype), 16PM (C++ comprehensive)

IdP V3

A large (a cynic might say massive) set of new specifications exist to implement SAML features in terms of OAuth2 and a new set of JSON security standards. Scoping and developing something in this area is an obvious future step for the project. The estimates are guesses, and would be per-product (SP and IdP would be totally separate work items, just as the original SAML support was). It seems likely that the SP functionality would be more immediately useful than the IdP, but that will take more time and involve fewer potential programmers.

Java Service Provider

Java, SAML8PM An analogue of the native, C++, SP written in Java. This has been requested for a long time due to the deficiencies so many other SAML implementations have had. It's been parked for a long time, and we had hoped to see good implementations emerge, but that hasn't happened. It may be time to revisit this, especially now that some of the code needed has been fleshed out as part of library work for V3. Some older design thoughts around this are here. There has also been work on a SAML JSR, although the state of that and its soundness are not clear.

Office 365 Integration

Java, WS-Trust3PM Microsoft has made documents publically available describing fat-client integration with Office 365 via WS-Trust. They are offering technical contacts to faciitate this work. We have to determine viability and our willingness to adopt non-standard profiles without public change control procedures. This work seems of questionable value now given public (but unexplained) statements from Microsoft about SAML support for Lync and similar use cases.

OAuth Authorization Service

Java, OAuth8PMIdP V3OAuth 2 introduces an infrastructure component for issuing authorization tokens, essentially similar to some of the eventual goals for SAML. We could add this kind of functionality to the IdP. Neither the demand for this, nor the actual use cases, are very clear at the moment.

IdP One Time Password SMS Authentication

Java IdP V3This work package encompasses the effort to add support, to IdP v3, an SMS based multi-factor authentication mechanism. The idea is that after a username/password loginthe IdP would send an SMS message containing a code that would be entered in to a second login page. More Details >>

IdP Configuration Tooling

Java, Javascript, UI design IdP V3From time to time people have requested some form of configuration tooling for the IdP. The suggestions range from command line tools, desktop UIs, and web-based UIs. In general it seems like the most often wish revolve around configuring:
  • Generate metadata based off of configuration
  • Add/remove metadata provider - will support file and URL based metadata and digital signature validation
  • LDAP/Kerberos/Container authentication
  • Database and LDAP data connectors
  • Configure release of attribute to all, or a specific, relying party

Parked/Rejected Work

These are projects which were proposed but were found to either be ill-defined, out of scope, or without sufficient interest from the project members. These items may be revisited from time to time as situations change.

NameDescription

IdP Support for WS-Federation

Version 1.3 of the IdP had support for Microsoft's proprietary ADFS v1 protocol. This was not brought forward because it didn't seem to be used by very many deployers.

OpenID Support

Support for OpenID 2 protocol along with Attribute Exchange, PAPE, and Simple Registration extensions in the IdP, SP, or both. There is no use case for this work or real interest from the community. An prototype extension was available for the IdP for 9 months and only one site tried it. OpenID is now obsoleted by OpenID Connect. More Details >>

InfoCard Support

Support for Microsoft InfoCard managed cards in the IdP, SP, or both. There is no use case for this work or real interest from the community. Microsoft has discontinued its delivery of future versions of this technology. More Details >>

Resource Registry, version 1

Various federations have software that devolves management of IdP/SP information to people closer to those entities. SWITCH's Resource Registry is the canonical example of this. People have made requests that such a tool be available from the Shibboleth project. Currently each federation has something that might be considered a resource registry and each is very different so it's unclear that a single code base could ever cover all, or even the majority, of these uses.

Security Audit/Review 

Various open source projects have undertaken formal code audits or reviews for security issues, and this sometimes is raised as a pseudo-requirement for governmental usage. We have a lack of resources/expertise, and no explicit demand/requirement for this. It would also be extremely costly in time.
Conformance TestingKantara (formerly Liberty) does (or did) some conformance testing of SAML implementations against various conformance testing suites, particularly eGovernment profiles that the project has participated in the development of. Vendors have expressed interest in Shibboleth participating at times, though not recently. There is a lack of demand from our community, and unwillingness to devote limited core team resources to the effort. We also don't support some of the features required by the testing, and do support things we think are more important but aren't part of the testing.

SAML 2.1 Standard

This work package encompasses an effort to update and revise the SAML 2.0 standard within the OASIS SSTC. With the project turnover, we feel unable to provide substantial work toward such an effort. The work at the SSTC has essentially been put on hold due to lack of volunteers to work on it.
  • No labels