Child pages
  • ReleaseNotes
Skip to end of metadata
Go to start of metadata

Version 0.10.0 (next feature release)

Release date: TBA

For a complete list of issues addressed in this release, see

This is a major pre-1.0 feature release.

Packaging Changes

  • MDA-158: The packaging of the RSA key blacklist resources introduced in version 0.9.0 has been changed. Previously included in the aggregator-pipeline artifact, these resources have now been moved into a separate aggregator-blacklists artifact. The resource names have not changed. This means that if your application does not use these resources, it may decrease in size by around 13MB. Applications making use of the blacklist resources may need to add a dependency on aggregator-blacklists.
  • MDA-181: A Maven BOM (Bill Of Materials) artifact has been made available. This makes it easier for projects using the Shibboleth MDA as a dependency to acquire a consistent set of managed dependencies without using the Shibboleth parent POM. You can include the MDA BOM in your Maven project like this:


API Additions

  • MDA-52: A new stage EntitiesStrippingStage has been added to allow stripping a number of different elements (all from the same namespace) from a DOM document. The stage may be operated in a blacklisting or whitelisting mode, with blacklisting the default. Like EntityStrippingStage, an elementNamespace property determines the namespace in question, and all elements in other namespaces are ignored.
  • MDA-56: A new stage EntityAttributeAddingStage has been added to add entity attributes to the metadata for SAML entities. This is configured using attributeNameattributeNameFormat and attributeValue properties, with attributeName and attributeNameFormat defaulting to the values required to add an entity category attribute. The stage is based on a new Container framework which attempts to generate reasonably well formatted XML for nested container elements, and handles the insertion of the required parent containers (Extensions, EntityAttributes, Attribute) when they are not already present.
  • MDA-160: The EntityAttributesFilteringStage has been extended with a new recordingRemovals property, defaulting to false. If recordingRemovals is set to true, each removed entity attribute is recorded as a WarningStatus in the item's item metadata, indicating the name and value of the entity attribute removed. This can then be processed by subsequent stages, such as a StatusMetadataLoggingStage.
  • MDA-177: An entity attribute matcher AssuranceCertificationMatcher has been added to allow simpler matching of entity attributes containing assurance certifications, such as that used by the SIRTFI framework.
  • MDA-178: A bean definition resource has been added to simplify access to each bean class in the aggregator-pipeline artifact. In XML configuration, this can be accessed by <import resource="classpath:net/shibboleth/metadata/beans.xml"/>. One abstract bean is defined for each available bean class, named after the class's simple name prefixed by "mda.". After including this resource, for example, class="net.shibboleth.metadata.dom.XMLSignatureValidationStage" can be replaced by parent="mda.XMLSignatureValidationStage"; this definition will also include the init-method and destroy-method properties for the bean when appropriate.
  • MDA-179: The simple command-line interface now includes a --version option to request the printing of the framework version number.
  • MDA-184: A new utility class RegexFileFilter has been added to support one of the common use cases of the DOMFilesystemSourceStage, where only certain files should be processed from a directory, based on their names.
  • JSPT-73: This release bundles a new version of the Shibboleth java-support package, which implements a new FixedStringIdentifierGenerationStrategy for use when it is not necessary to use different ID attribute values for different documents.

API Changes

  • MDA-166: The ItemSerializer and ItemCollectionSerializer interfaces now allow serializers to throw IOException when appropriate. The provided DOMItemSerializer will throw an IOException wrapping a TransformerException if the latter is thrown during XML serialization. Previously, this condition would only have resulted in logging at ERROR level.
  • MDA-167: The ItemIdTransformStage now transforms identifiers using a collection of Guava Function objects rather than of the similar Converter provided by the Spring framework. This also affects the type of the MDQueryMD5ItemIdTransformer and MDQuerySHA1ItemIdTransformer classes. This change will not affect existing configurations if only those classes are in use. This matches the use of Function elsewhere in the API, and allows the use of Guava's Functions helper class.
  • MDA-169: The SAMLMetadataSupport.getDescriptorExtensions method has been renamed to getDescriptorExtension to reflect the fact that it returns a single result.
  • MDA-171: The SAMLMetadataSupport.getDescriptorExtension method's parameters must now be non-null; their annotations have been changed to @Nonnull to correspond with this. In previous releases, they were annotated as @Nullable and passing null would result in the method returning null.
  • MDA-175: The ItemOrderingStrategy interface defined by the EntitiesDescriptorAssemblerStage now allows the ordering strategy to throw a StageProcessingException if, for example, the items presented are invalid in some way and can not be ordered. Such an exception will be propagated upwards to the caller of the stage's execute method.
  • MDA-179: The Version class's getMicroVersion method has been renamed to getPatchVersion to align with current (semantic versioning) terminology.
  • MDA-182: Several classes exposed as part of the API for building custom stages have been reworked to simplify implementation of other stages and to correspond to current naming conventions:
    • BaseStage has been renamed to AbstractStage
    • BaseIteratingStage has been renamed to AbstractFilteringStage
    • A new AbstractIteratingStage allows the simpler construction of stages which process each Item independently
  • MDA-188: The AbstractDOMTraversalStage framework has been generalised to allow the use of custom context objects specific to the particular traversal, rather than relying on sometimes tortured uses of the ClassToInstanceMultiMap to carry everything. This is a breaking change, but will only affect writers of stages derived from AbstractDOMTraversalStage:
    • Context objects must implement the DOMTraversalContext interface. This no longer includes the getStash method (returning a ClassToInstanceMultiMap but does add a new end() method to be called at the end of the traversal.
    • A basic implementation of SimpleDOMTraversalContext is provided without any data fields. This can be used in many cases where custom storage is not required in the context; for an example, see AbstractElementVisitingStage.
    • More complex cases can extend SimpleDOMTraversalContext to include additional fields and method. For a very straightforward example, see CRDetectionStage. A more complex example, including use of the end() method from DOMTraversalContext, can be found in ElementsStrippingStage.


  • MDA-183: the compromised-1024.txt and compromised-2048.txt resources have been extended with keys shipped with some releases of the Jetty container.

Bug Fixes

  • MDA-179: The Version class is now functional, rather than throwing a NullPointerException when used.
  • MDA-196: Setting the XMLSignatureSigningStage's includeX509SubjectName property to true caused a ClassCastException. It now behaves as intended, resulting in an <X509SubjectName> element being added to the signature's  <KeyInfo>'s <X509Data> element.

Version 0.9.2 (current stable release)

Release date: 19th October 2016

This release adds some minor new features:

  • MDA-76 multi-output serialiser for offline use cases
    This adds a MultiOutputSerializationStage which can be provided with a Serializer and an OutputStrategy to allow each Item in a collection to be serialized to a different location. This is intended for use cases such as per-entity metadata generation. A FilesInDirectoryMultiOutputStrategy is provided for this use case; its properties include a destination directory within which individual files are created based on a prefix and suffix string, and a transformed version of each item's first ItemId. Transformer classes SHA1StringTransformer and PathSegmentStringTransformer have been added to cover the most common current use cases. An example of the use of these new classes are available in this example.
  • MDA-170 allow use of PKCS#11 for XML DSIG
    Adds a PKCS11PrivateKeyFactoryBean to allow a PKCS#11 token (such as a smart card or HSM) to be used to sign documents. An example of its use can be found in this example. Note that this class is deprecated and will not appear in version 0.10.0. In that release, the same functionality will be available from the spring-extensions project, see JSE-20.

The following bug fix is included:

  • MDA-168 EntityAttributeFilteringStage mishandles multiple containers
    The EntityAttributeFilteringStage only processed the first EntityAttributes container in an entity descriptor's Extensions. Although the specification requires that at most one such container be present, this is not a schema constraint and cannot be relied on in security-sensitive applications. EntityAttributeFilteringStage now processes all EntityAttributes containers in an entity.

Version 0.9.1 (previous stable release)

Release date: 25th April 2016

This release adds a single new feature:

  • MDA-163: add stage to detect CR characters in metadata

This adds a CRDetectionStage for use in detecting metadata that can trigger the SSPCPP-684 issue in the Shibboleth SP.

Version 0.9.0

Release date: 18th December 2015.

For a complete list of issues addressed in this release, see

This is a major pre-1.0 feature release.


Now using Spring Resources instead of (now deprecated) Shibboleth Resources.

The factory bean classes PrivateKeyFactoryBean, PublicKeyFactoryBeanX509CertificateFactoryBean and X509CertificateChainFactoryBean bundled from the spring-extensions package have significant API improvements. Each factory now takes a "resource" property which is a Spring Resource rather than a Java File. This allows these factories to be used with any kind of Spring resource, including ClassPathResource. Existing configurations will need to change to compensate for this.

<bean class="...X509CertificateFactoryBean">
    <property name="certificateFile">
        <bean class="">
            <constructor-arg value="..."/>
<bean class="...X509CertificateFactoryBean">
    <property name="resource">
        <bean class="">
            <constructor-arg value="..."/>

If you were previously setting the input property of one of these factories to a string value representing the path, and relying on the Spring resource loader to convert that into a File object, you may need to change your configuration to explicitly create a FileSystemResource if that is not the default used by the Spring context type in use in your application.

Now uses the JAXP implementation supplied by the JRE, rather than a much older "endorsed" version. This will affect any configurations which depended on Xerces or Xalan specific extensions; re-endorse the implementation of your choice if this is an issue.

All provided stages now implement a new collectionPredicate property. This can be set to a Predicate<Collection<Item<T>>> which will be applied to each collection passed to the stage. If the collectionPredicate returns true, the stage is executed as normal; this is the default. If the collectionPredicate returns false, the stage is skipped. This can be used used to perform lightweight conditional operations such as forming an EntitiesDescriptor from a collection only if the collection contains at least two items. The AtLeastCollectionPredicate class has been added to address this specific use case. Conditional evaluation of a series of stages with the same collectionPredicate can be simplified by use of a CompositeStage.

This release bundles a new version of the Shibboleth spring-extensions package, which provides a new IdentifiableBeanPostProcessor class. If you include an instance of this class in your Spring configuration, you can now default the "id" property on all Shibboleth components from the bean's "id" attribute, simplifying your configuration by removing the usual duplication between these values.

<bean class="..." id="theBean">
    <property name="id" value="theBean"/>
<bean class="net.shibboleth.ext.spring.config.IdentifiableBeanPostProcessor"/>
<bean class="..." id="theBean">

The ItemSerializer interface is no longer defined over a collection of items, but now (less surprisingly) operates on a single item. A new ItemCollectionSerializer interface (with a serializeCollection method) takes its place in operating on collections of items. In addition, ItemSerializer and ItemCollectionSerializer implementations are no longer responsible for closing the OutputStream they write the serialized form of their input to. These changes allow reuse of serializer implementations in cases other than the current SerializationStage. The SerializationStage implementation now accepts an ItemCollectionSerializer rather than an ItemSerializer, but DOMElementSerializer has been changed to support both interfaces so that no changes to configurations should be required.

The SetValidUntilStage and SetCacheDurationStage duration setters are now marked using an annotation to indicate that they take non-negative duration values. If you provide an appropriate converter in your Spring configuration, this means that configurations can now use ISO duration values (e.g., "PT6H") rather than a literal number of milliseconds (e.g., "21600000"). For example:

<!-- This bean MUST be called "conversionService" to work properly. -->
<bean id="conversionService" class="">
    <property name="converters">
            <bean class="net.shibboleth.ext.spring.config.DurationToLongConverter" />
            <bean class="net.shibboleth.ext.spring.config.StringToIPRangeConverter" />
            <bean class="net.shibboleth.ext.spring.config.BooleanToPredicateConverter" />
            <bean class="net.shibboleth.ext.spring.config.StringBooleanToPredicateConverter" />
            <bean class="net.shibboleth.ext.spring.config.StringToResourceConverter" />
<bean id="stage" class="net.shibboleth.metadata.dom.saml.SetValidUntilStage"

API Additions

  • MDA-55: added EntityAttributeFilteringStage and associated matchers: EntityCategoryMatcherEntityCategorySupportMatcherMultiPredicateMatcherRegistrationAuthorityMatcher. Additional support classes: SAMLSupportMDAttrSupport.
    • EntityAttributeFilteringStage evaluates a list of matching rules for each entity attribute present in a SAML EntityDescriptor. The list of rules is logically ORed to determine (along with a whitelisting/blacklisting property) whether each attribute value is retained or filtered out.
    • Each matching rule is in the form of a Predicate over an EntityAttributeContext containing the attribute's value, NameNameFormat and the entity's registration authority.
    • The registration authority value in the EntityAttributeContext is taken from a RegistrationAuthority object in the entity's item metadata. This would normally be extracted from the entity beforehand using the RegistrationAuthorityPopulationStage.
    • The EntityCategoryMatcher and EntityCategorySupportMatcher classes match a given attribute value with appropriate attribute Name and NameFormat values as defined in the entity category specification.
    • RegistrationAuthorityMatcher can match against a specific registrar authority, or against the absence of any authority.
    • MultiPredicateMatcher can be used with arbitrary Predicate<CharSequence> objects evaluated against the four components of the EntityAttributeContext. Suitable Predicate objects can be obtained, for example, from Guava's Predicates.containsPattern method. Unset component predicates are evaluated as true.
    • If the filtering out of an AttributeValue results in an empty Attribute container, that container is removed.
    • If the removal of an empty Attribute container results in an empty EntityAttributes container, that container is removed.
  • MDA-109: added ElementWhitespaceTrimmingStage to trim whitespace from start and end of text contents of selected elements
  • MDA-132: new property collectionPredicate added on all stages; new AtLeastCollectionPredicate class added
  • MDA-139: new classes supporting the Metadata Query Protocol:
    • ItemIdTransformStage
    • MDQueryMD5ItemIdTransformer
    • MDQuerySAML1ItemIdTransformer
  • MDA-141: New ItemMetadataAddingStage adds a collection of ItemMetadata objects to each Item's item metadata
  • MDA-150: added NamespacesStrippingStage to whitelist/blacklist multiple namespaces
  • MDA-154: added X509ValidationStage to allow validation of X.509 certificates in XML metadata. This is supplied with a list of Validator<X509Certificate> instances to determine the validation performed.
    • MDA-69X509RSAOpenSSLBlacklistValidator checks for RSA modulus values from blacklist set. A blacklistResource property is used to set a Spring Resource from which the blacklist set is read in OpenSSL blacklist format. The following resources are made available in the classpath for common use cases such as Debian weak keys and popular known-compromised keys such as those improperly shipped with SAML software releases: 
      • net/shibboleth/metadata/validate/x509/debian-512.txt
      • net/shibboleth/metadata/validate/x509/debian-1024.txt
      • net/shibboleth/metadata/validate/x509/debian-2048.txt
      • net/shibboleth/metadata/validate/x509/debian-4096.txt
      • net/shibboleth/metadata/validate/x509/compromised-1024.txt
      • net/shibboleth/metadata/validate/x509/compromised-2048.txt
      • Multiple X509RSAOpenSSLBlacklistValidator instances should be configured to test for multiple blacklist sets, as only one Resource can be consumed by each instance. Note, however, that if RSA key length is also constrained to, say, 2048 bits, blacklists corresponding to shorter keys can be ignored.
    • MDA-74X509RSAKeyLengthValidator checks for RSA modulus sizes smaller than a given number of bits. Properties allow setting a warning and error threshold; by default, modulus values less than 2048 bits in length are regarded as errors.
    • MDA-155X509RSAExponentValidator checks for invalid (negative or odd) or insecurely small RSA exponent values. Properties allow setting a warning and error threshold; by default, values of e smaller than 5 are regarded as errors.
  • MDA-156: added RegistrationAuthorityItemIdentificationStrategy for interfederation use cases. This extends the basic identifier produced by FirstItemIdItemIdentificationStrategy by adding a component corresponding to RegistrationAuthority item metadata, if present. This would normally be extracted from the entity beforehand using the RegistrationAuthorityPopulationStage.
    • A set of registration authorities can be ignored by setting the ignoredRegistrationAuthorities property. For example, you may wish to provide only basic identifiers for entities from your own registration authority.
    • Registration authority names (URIs) can be mapped to more convenient display names (such as country codes or federation proper names) by setting a Map<String, String> as the registrationAuthoritiesDisplayNames property.

API Changes

  • MDA-131: the identifierStrategy property of ItemMetadataFilterStageItemMetadataTerminationStage and StatusMetadataLoggingStage has been renamed to identificationStrategy for consistency with other parts of the API.
  • PrivateKeyFactoryBean, PublicKeyFactoryBean, X509CertificateFactoryBeanand X509CertificateChainFactoryBean input properties are all now called "resource" and are all Spring Resource objects rather than Java File objects.
  • ItemSerializer#serialize now takes Item<T> instead of Collection<Item<T>>
  • DomDocumentFactoryBean is now DOMDocumentFactoryBean
  • DOMDocumentFactoryBean's documentResource property is now resource
  • The SetValidUntilStage and SetCacheDurationStage duration setters now throw ConstraintViolationException if a value less than or equal to zero is provided, rather than leaving this to be detected at initialization time.
  • The connectionDisregardSslCertificate property of the has been renamed to be connectionDisregardTLSCertificate.
  • MDA-123EntityRegistrationAuthorityFilterStage has moved from the net.shibboleth.metadata.dom.saml package to net.shibboleth.metadata.dom.saml.mdrpi

API Removals

  • MDA-129: ElementFormattingStage removed
  • MDA-122: EntityPublisherPathFilterStage removed
  • MDA-122PushDownCacheDurationStage removed
  • MDA-122PushDownValidUntilStage removed
  • MDA-122SetPublicationInfo removed
  • MDA-122XMLSignatureSigningStage's deriveKeyNames property removed
  • MDA-123: SAMLMetadataSupport.RPI_NS removed (use MDRPIMetadataSupport.MDRPI_NS)

Version 0.8.0 (previous stable release)

For a complete list of issues addressed in this release, see


  • API changes for new Shibboleth coding conventions, and in the use of generic types
  • Signature validation can reject empty references, blacklist algorithm URIs and protects against "wrapping" attacks.
  • New stage to extract MDRPI registrationInfo into item metadata.
  • Moved to Java 7, Apache Santuario V1.5
  • Improved CLI experience
  • bug fixes

API Changes

  • DomElementItem becomes DOMElementItem
  • DomElementSerializer becomes DOMElementSerializer
  • DomFilesystemSourceStage becomes DOMFilesystemSourceStage
  • DomResourceSourceStage becomes DOMResourceSourceStage
  • domResource bean properties become DOMResource
    • getDomResource becomes getDOMResource
    • setDomResource becomes setDOMResource
  • xpathExpression bean properties become XPathResource
    • getXpathExpression becomes getXPathExpression
    • setXpathExpression becomes setXPathExpression
  • xslResource bean properties become XSLResource
    • getXslResource becomes getXSLResource
    • setXslResource becomes setXSLResource
  • BaseDomTest test class becomes BaseDOMTest
  • Stages and Pipelines with generic types are parameterised by the type wrapped in the Item, not the implementation type.  For example, you would now use a Stage<Element> rather than a Stage<DOMElementItem>. Most internal Stage APIs have been changed in a similar way.  For example, Collection<DOMElementItem> would become Collection<Item<Element>>The generic type changes mean that the DOM-based stages can work over any class implementing Item<Element>, not just the supplied DOMElementItem.

  • No labels