Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page is mostly just used to capture the "broad" picture of where the project spends its time and energe and some of the "big ticket" work items that have come up in the past that have been parked for various reasons.

The best way to keep tabs on the project is through Jira. We do not have a very sophisticated model there at the moment; rather we have issue filters that will show the issues and tasks scheduled for particular releases of the major software projects. Because our code is spread out into separately versioned components, the filters are the only "comprehensive" view of all the issues being worked on or planned.

The Dashboards for the IdP and SP products are somewhat organized and include access to some of these filters, but you can search for specific filters via (just enter SP or IdP or whatever else into the search box).

These are organized by version of course and should include versions beyond current releases.

The rest of this page is mostly only of historical interest or to the Consortium Board.

Shibboleth Project Work Packages

The following document track tracks the various work packages within the Shibboleth project.


Project Overhead and Infrastructureongoingn/a
This work package encompasses efforts to "keep the lights on" for the Shibboleth projects. This includes attending teleconferences, face-to-face meetings, core list emails, etc. Also includes ongoing management of the infrastructure, and basic coordination among the team.

Standards Development

This work package encompasses the effort expended to participate in, and keep track of, specifications from standards bodies such as OASIS, W3C, IETF, Kantara, etc. We have scaled back our efforts here to focus on development work in recent years.
User Supportongoingn/a
This work package encompasses the effort spent supporting users of the Shibboleth software through the Member-only support mechanisms or in response to mailing list questions from members. Non-member support is not subsidized and not project time.

OpenSAML-C, version 3, Maintenance

This work package encompasses the effort in maintaining the V3 C++ OpenSAML stack (the xml-security, xmltooling, opensaml libraries). This includes bug fixes, testing, release preparation and distribution. It does not include significant feature work.

Native SP, version 3, Maintenance

This work package encompasses the effort in maintaining the V3 Service Provider product. It includes bug fixes, testing, and release preparation and distribution. It does not include significant feature work.
Embedded Discovery Service, version 1, Maintenanceongoingn/a
This work package encompasses the effort in maintaining the EDS, including bug fixes, testing, and release preparation and distribution.

OpenSAML-J, version 34, Maintenance

This work package encompasses the effort in maintaining the V3 V4 Java OpenSAML library and supporting libraries. This includes bug fixes, testing, release preparation and distribution. It does not include still includes significant feature work, as active development has moved to V4continues.

IdP, version 34, Maintenance

This work package encompasses the effort in maintaining the V3 V4 Identity Provider product. It includes bug fixes, testing, and release preparation and distribution. It does not include still includes significant feature work, as active development has moved to V4continues.

Metadata Aggregator, version 1.0


Initial product release of the framework and command line tool. Excludes previously intended Metadata Query Protocol functionality and in-depth documentation.
OpenSAML V4V5Q1 2020Q3 2021

Next feature major update to libraries, principally focused on cleanup, possibly requirements for more complete SP functionality in Java to support IdP proxyingmeeting any needs that arise for IdPv5.
IdP V4V5Q1 2020Q3 20211+PYOpenSAML V4An upgrade focused on move to Java 11, Spring 5, and elimination of deprecated features and APIs, and a few new features. More details>>>V5This release is in the planning stages, but most of the "new" work on this version will probably be organized into separate plugin modules rather than a large amount of new core code. This notably includes the first OIDC plugins that provide configuration format and API stability.

Planned Work

Planned projects are work packages accepted by the consortium but which are not yet under development due to lack of resources or unmet preconditions. When committed work packages complete the individuals working on the completed work package will normally pick up the next project from this list.



OpenID Connect

Java, C++, OAuth/OIDC

2.5PM (Java prototype), 10-12PM (Java comprehensive)

3-4PM (C++ prototype), 16PM (C++ comprehensive)

A GEANT project to implement OIDC natively is on its second official release and will be incorporated into IdPv5 after migrating into our Git repository for V4.

SP work unlikely given current resources but in a perfect world might be nice to pull in code from mod_auth_oidc.

Second generation IdP Proxy SupportJava, work underway4PM

Add sufficient OIDC and SAML RP probably CAS support to IdP to handle proxying use cases without additional software footprint. SAML proxying is planned for IdPv4 and additional protocols will be added laterSAML support was added to IdPv4.

SP Packaging Automation202020211PMWe need to build an AWS-based process for automating SP packaging, at least encompassing RPM, possibly Windows if practical



Understanding Shib/SAML Documentation

Tech Writing, SME2PMEncompasses the effort to develop a good set of documentation that explains SAML, Shibboleth, and Federations at a conceptual level. The intended audience for the documentation is those new to the subject matter.

Enhanced Product Documentation

Tech Writing, SME3PMEncompasses the effort to develop a good set of product documentation that explains features more thoroughly and contextually, with examples, and better how-to material that is task focused instead of reference oriented.

Developer Documentation

SME3PM per productEncompasses the effort to develop a good set of developer documentation for extension work on Shibboleth products. Documenting the SP and IdP would be separate items.

Infrastructure Documentation

SME1PMWe have a lot of infrastructure services, but little formal documentation for them, which will make project transitions much harder.
Packaging / Installation / DeploymentPackaging, Containerization, Installer Tools2PMThis would span general installer improvements all the way to possible use of container technologies like Docker. Unclear if there's value in a general solution to that, but various groups have asked or have worked on things like this. Likely also ties into TIER work or requirements.



This work package encompasses the effort to create a new TestShib software package. The current TestShib's registration system was developed by a number of novice programmers over a period of years. This product would involve producing a more supportable test platform and making it a consortium service. This is like to involve more than just programming, but an ongoing investment in supporting it with more than volunteer effort.

Of late, seems to have filled this niche well enough.

Expansion of IdP Integration TestingJava, Installer Tools2PMWe need more extensive coverage of the installation processes and integration tests across different supported containers and platforms, to improve QA.
Token BindingJava, C++2PMSupport for the emergent TLS Token Binding extension in our SAML implementations. This is very uncertain in light of Google at least for now having pulled Chrome support for Token Binding.

IdP User Interface

Java, Javascript
There are various things that the IdP might expose a UI in order to manage, such as:
  • User-initiated IdP-initiated Single Sign On and Single Log Out
  • User-initiated persistent ID disassociation
  • User-initiated removal of attribute release consent
  • Admin-initiated single logout of user
  • Admin-initiated reload of selected subsystems or metadata sources

SP Availability in Fedora

RPM packaging
This work package encompasses the effort to produce SP packages compatible with Fedora standards and to get them accepted into the Fedora project. This has unknown implications on Red Hat packaging. This was a request from the Moonshot team.

SP OAuth Implementation

C++, OAuth3-5PMThe SP supports web service security using the SAML ECP profile in a manner that supports N-tier delegation. OAuth in its typical form is a simpler mechanism that reinvents cookies and works when N=3 (site accessed by browser wants to access another site). The SP could include an OAuth token flow for protecting access to itself, providing another way of hosting web services with attribute-based authorization. In this model, the SP issues tokens to itself, so there are no interoeprability considerations. Either cookie-like bearer tokens or something stronger could be implemented (taking more time), but in practice no clients are likely to support anything stronger.


C++, GSS-API and SASL10PMSpecification of a browser-less GSS-API mechanism for SAML based on ECP is largely complete with stable drafts available. Completion of the drafts depends on implementation feedback. A mechanism would need to be developed in C++ with C linkage to the mechglue layers of at least MIT and Heimdal GSS libraries. Other implementations, such as Java, would also be useful if possible. Some prototype work on this was done by NCSA staff with ISOC funding. This work item refers to productionizing this code under the auspices of the project, and extending it with additional features.

Confluence/Jira Plugins

Javamainly some ongoing maint.Many sites are using various forks of code originally from the project for SSO integration for Confluence and Jira. The code is somewhat maintained for Confluence and Jira. Since the project is running those products and forced to use those plugins, offering officially supported versions might make sense to help defray the pure overhead of running them internally.

Java Service Provider

Java, SAML8PMAn analogue of the native, C++, SP written in Java. This has been requested for a long time due to the deficiencies so many other SAML implementations have had. It's been parked for a long time, and we had hoped to see good implementations emerge, but that hasn't happened. It may be time to revisit this, especially now that some of the code needed has been fleshed out as part of library work for V3. Some older design thoughts around this are here. There has also been work on a SAML JSR, although the state of that and its soundness are not clear.

Office 365 Integration

Java, WS-Trust, OAuth3PM

Microsoft has made documents publically available describing fat-client integration with Office 365 via WS-Trust. They are offering technical contacts to faciitate this work. We have to determine viability and our willingness to adopt non-standard profiles without public change control procedures.

This work seems of questionable value now given the SAML support across most of the applications and would probably take the form of OAuth support if we did anything.

OAuth Authorization Service

Java, OAuth8PMOAuth 2 introduces an infrastructure component for issuing authorization tokens, essentially similar to some of the eventual goals for SAML. We could add this kind of functionality to the IdP. Neither the demand for this, nor the actual use cases, are very clear at the moment.

IdP One Time Password SMS Authentication


This work package encompasses the effort to add support , to the IdP v3, for an SMS based multi-factor authentication mechanism. The idea is that after a username/password loginthe IdP would send an SMS message containing a code that would be entered in to a second login page. More Details >>

SMS seems to have rightly lost a lot of supporters given its security flaws. Work on other tech probably makes more sense, and if we did do this it likely would depend on PrivacyIdea to handle the actual work.

IdP Configuration Tooling

Java, Javascript, UI design
From time to time people have requested some form of configuration tooling for the IdP. The suggestions range from command line tools, desktop UIs, and web-based UIs. In general it seems like the most often wish revolve around configuring:
  • Generate metadata based off of configuration
  • Add/remove metadata provider - will support file and URL based metadata and digital signature validation
  • LDAP/Kerberos/Container authentication
  • Database and LDAP data connectors
  • Configure release of attribute to all, or a specific, relying party

The Unicon GUI is convering a lot of this space at the moment though in a highly abstracted/insulated way through the metadata boundary and the MetadataDrivenConfiguration work.

Security Audit/Review

C++, Java
Various open source projects have undertaken formal code audits or reviews for security issues, and this sometimes is raised as a pseudo-requirement for governmental usage. We have a lack of resources/expertise, and no explicit demand/requirement for this. It would also be costly in time.
Elliptic Curve EncryptionC++, Java1PM eachEncryption using Elliptic Curve keys is currently not supported by either IdP or SP and is not supported in either of the XML Security Libraries we use. This would entail donating implementations of EC-DH to Apache and then supporting them in our software. Without this work, it's impossible to fully migrate off of RSA keys. Unclear at this point whether this is worth doing or not, and it's not generally supported by other implementations.