Not yet released.
For a complete list of issues addressed and features added in this release, see https://issues.shibboleth.net/jira/issues/?filter=10878.
The following new beans have been added in this release:
- shibboleth.authn.Krb5.ServicePrincipal (added to conf/authn/krb5-authn-config.xml)
- shibboleth.authn.Krb5.Keytab (added to conf/authn/krb5-authn-config.xml)
A new velocity context "
attributeDisplayNameFunction" is available to the attribute release consent screens. This is the language browser sensitive content of the <
DisplayDescription> declared for the attribute in attribute-resolver.xml. See VelocityProperties for more details.
A new environment variable, IDP_BASE_URL, can be set to globally override the URL used to call the administrative flows from the command line tools. Note that using anything but localhost will generally require modifying conf/access-control.xml.
IDP-114: The Kerberos login flow has been enhanced to support KDC verification using a service principal and keytab. New beans must be uncommented and configured to use this feature (see KerberosAuthnConfiguration).
IDP-624: The order in which attributes are displayed to the user during attribute release consent is now configurable.
IDP-666: To enable internationalization of messages displayed to users, the charset used when parsing message source property files has been changed to UTF-8.
220.127.116.11 (Windows Only)
Mar 31, 2015
This is a service release of the 3.1.1 Windows Installer that fixes a bug (IDP-668) that was preventing proper upgrades of the installer. It is not a change to any of the supplied software, and is only relevant for new upgrades, or for anybody having problems with the upgrade process.
As part of this fix, it's important to note that any changes made directly to the webapp folder's contents after installation do not survive across upgrades. Any such changes must be made to the edit-webapp tree designed for that purpose.
Mar 26, 2015.
For a complete list of issues addressed in this release, see https://issues.shibboleth.net/jira/issues/?filter=10871
This is a bug fix release.
This release contains a fix for the issue described in the security advisory issued on March 26, 2015. Apart from upgrading, no other actions are required to address the issue.
A bug (IDP-646) was fixed where the maxValidityInterval of the RequiredValidUntil metadata filter was incorrectly interpreted in milliseconds rather than seconds if a duration was specified as a number rather than a duration string.
A bug (IDP-642) was fixed that prevented use of the schema validation metadata filter.
A bug (IDP-635) was fixed that ignored languages preferred by the browser when displaying attributes during consent to attribute release.
A bug (IDP-651) was fixed that prevented the idp.session.consistentAddress property from being turned off.
A bug (IDP-654) was fixed that prevented the use of configuration properties to set return attributes in the LDAP data connector configuration.
Mar 10, 2015
For a complete list of issues addressed in this release, see https://issues.shibboleth.net/jira/issues/?filter=10673
The following new properties have been added in this release (defaults in parentheses):
- idp.consent.storageRecordLifetime (P1Y)
- idp.replayCache.StorageService (shibboleth.StorageService)
- idp.artifact.StorageService (shibboleth.StorageService)
- idp.attribute.resolver.LDAP.searchFilter ("(uid=$requestContext.principalName)")
- idp.service.attribute.resolver.maskFailures (true)
- idp.service.attribute.filter.maskFailures (true)
- idp.httpclient.useTrustEngineTLSSocketFactory (false)
The following new beans have been added in this release:
- shibboleth.AuthenticationPrincipalWeightMap (added to conf/authn/general-authn.xml)
This is a bug fix release. Addressing IDP-573 which corrected a serious bug in the attribute resolver required the addition of new public APIs, necessitating a minor version change, but this is not a significant feature upgrade. A few new properties and Spring beans have been added, and these are denoted in the documentation with the superscript 3.1 to distinguish them. Anything so denoted will be ignored or fail if used with an earlier version. (This convention will be used going forward to denote anything introduced with new releases.)
New properties were added for configuring alternative storage services for the replay cache and artifact store for clustered deployments.
A new "map" bean was added to conf/authn/general-authn.xml to address IDP-602 and make it possible to apply more control over which SAML AuthenticationMethod/AuthnContextClassRef is returned from a login flow that supports more than one. A map of Principal objects to numeric weights is used to favor some over others. The default configuration now applies a weight of "1" to the "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" context class principal so that it is used in place of "urn:oasis:names:tc:SAML:2.0:ac:classes:Password" when both are potentially valid. You can add this bean from the delivered file into your configuration to incorporate this improvement.
Per IDP-580, a syntax introduced in V3.0 to declare
<security:TrustEngine> elements inside
<metadata:MetadataProvider> elements has been deprecated in favor of declaring the trust engine element directly within a
metadata:SignatureValidation MetadataFilter, which is the only current filter plugin that supports such an object. The deprecated syntax will likely be removed promptly due to its limited usefulness and very recent introduction.
A bug (IDP-585) was fixed that prevented the use of caching in the attribute resolver. In conjunction with this fix, the deprecated
cacheResults LDAP/RDBMS data connector attribute is no longer honored (and a warning emitted). The
<dc:ResultCacheBean> elements are now the only supported mechanism for configuring caching.
Several bugs (IDP-588) were fixed to support using server-side storage such as MySQL or other databases for storage of consent decisions.
Per IDP-560, the default/example view templates include a few improvements, so you may wish to review those changes if you have a previous install, as the original files will not be overwritten.
18.104.22.168 (Windows Only)
Feb 25, 2015
This is a service release of the 3.0.0 Windows Installer that updates Jetty to 9.2.9.v20150224 to address a Jetty security issue. If you did not install Jetty via the Shibboleth installer, then this update is not required (but of course you may still be affected by the issue if you have an affected Jetty version in use).
As noted on the WindowsInstallation page, service releases (represented by the fourth version number) do not indicate an actual update to the Shibboleth software, only to third party components we support.
Dec 22, 2014
This is the first release of the third-generation Identity Provider software. The key documentation links are located on the IDP30 space Home page, such as SystemRequirements, Installation, and UpgradingFromV2 material.
This release should interoperate with all previous releases of Shibboleth and other software that supports the same standards. As a major upgrade, the list of issues fixed and features added is numerous and you should refer to the documentation itself for information on what's changed or new.