Internet2: Shibboleth Working Group
Posted by nicole on October 13th, 2008
The Shibboleth Working Group is not the natural habitat for policy focused people like me. Apologies, but we are about to get technical.
Chad La Joie (shibboleth IdP architect guru) is talking about shibboleth 2.1 and new features: particularly the introduction of the ability to explicitly deny the release of certain attributes. 2.1 should be out sometime this week. The usual question has come up - is now the right time to upgrade from 1.3?? Internet2 are keen to move people across to shib2 and of course this will have the benefits offered by SAML2, but it seems to me that most people in the UK federation can happily stay on 1.3 for now.
Now we are talking about the inability to stop people from doing dumb things - the over-riding message being doAn’t ignore the things in bright red boxes in the installation guides on the Internet2 spaces wiki. Back-ups, change-logs also good 
The wiki is also the place to look at the Shib2.2 roadmap.
User Consent is again the hot topic for shib2.2. Shib2.2 will have user consent attribute release capabilities based on the SWITCH Arpviewer that i mentioned a couple of weeks ago.
The rest of the session was covered by Scott Cantor who looks after the SP side of shib. Not so many new features on the SP side but a lot of bug fixing (mostly working through Apache bugs!).
The final slot looked at something that has been on the wish-list for sometime: n-tier access. This is still something that is being scoped and is not a promised feature, but the shib team is working on a use-case based around delegation in u-portal. It looks like this will be interesting stuff to track. Some of the questions include SOAP or REST?, links to Kerberos (more important in the US than back home), links to Info Cards, and the emergence of OAuth. More information on the Shib2.2 Roadmap.
October 13th, 2008 at 11:12 pm
The UK federation is far more flexible to the convoy approach - evident in the relativly wide range of platforms present in the Federation. Guanxi, 1.3, 2.0, Ezproxy and a varity of other SAML compliant SPs. And that’s got to be a indicator of the good health of the Federation. As we all know a good Heinz 57 variety dog is far more robust than a King Charles Spaniel.
October 14th, 2008 at 1:30 pm
To reiterate Nicole’s point. If you are updating from IdP 2.0 to 2.1 you *must* make sure you have saved your previous configuration.
Chad is very hopeful that 2.1 will hit the e-streets this week…
October 15th, 2008 at 3:31 pm
A couple of the bugs squashed in the 2.1 IdP are particularly relevant to UK sites. For example, the IdP now correctly sets the audience condition in responses, which will allow it to interoperate with the Shibboleth to Athens gateway. So this release is particularly significant for sites which had decided to go the 2.x route but stalled because of these particular issues, and they should be able to start to make progress again once 2.1 is out.