here - Shibboleth
advertisement
Shibboleth & Shibboleth Consortium Background • Shibboleth evolved out of Internet2 Middleware Activity in 2000, with first release in 2003. • Significant funding from Internet2 (USA) and latterly JISC (UK) resulted in wide adoption by research and education communities enterprises around the world. • Used by 26 national federations (as of May 2013): UKAMF (UK), InCommon (US), SWITCHaai (Switzerland), AAF (Australia), AAI@EduHR (Croatia), ACOnet (Austria), Belnet (Belgium), CAF (Canada), CAFe (Brazil), CARSI (China), CESNET (Czech Republic), COFRe (Chile), DFN-AAI (Germany), Edugate (Ireland), eduID.hu (Hungary), GakuNin (Japan), GRNET (Greece), Haka (Finland), IDEM (Italy), LAIFE (Latvia), Tuakiri (New Zealand), RCTSaai (Portugal), RENATER (France), SIArnesAAI (Slovenia), SWAMID (Sweden), TAAT (Estonia) and ULAKAAI (Turkey). Shibboleth Consortium • Ongoing funding for development, maintenance and support was identified as problematic. • Aimed to build on Shibboleth adoption and broaden funding base, as well as derive benefits from increasing commercial usage. • Recognised that formal structure was required to receive contributions, pay developers, and determine the technical direction of the project. • Internet2, Janet and SWITCH agreed to form Shibboleth Consortium and signed charter establishing this in April 2013. • Developing membership to ensure sustainability. Consortium Membership • Principal Members (those contributing €120K per year) Internet2 (US), Janet (UK) & SWITCH (Switzerland) • Federation Members ACOnet (Austria), NII/GakuNin (Japan), CSC/Haka (Finland), RENATER (France) & NORDUnet (Nordic region) • Academic / Non-Profit Members Carnegie Mellon University (US) & LIGO Scientific Collaboration (US) • Commercial Members TBD? Consortium Structure S. Cantor (Ohio State) J. Sharp (Janet) S. Waggener (I2) C. Witzig (SWITCH) K. Meynell (Janet) Membership Fees Category Small Medium Large Principal Member €100,000 €100,000 €100,000 €10,000 <250 IdP+SPs €20,000 251-750 IdP+SPs €40,000 >750 IdP+SPs €2,000 <10K users €4,000 10-50K users €6,000 >50K users €4,000 <€10M €8,000 €10-100M €16,000 >€100M NREN/Federation Member Academic/Non-Profit Member Commercial Member Project Update • All products in maintenance mode pending release of IdPv3, apart from security issue response • Heartbleed Update • Relatively minimal impact on project, as opposed to federations, deployers • SP patch issued within a week • Longer term: V3 likely to include a separately generated key for SOAP security, and a continued goal of deemphasizing back channel profiles IDPv3 Status • Probably 80% feature complete • Major TODOs: – – – – Install / upgrade scripts Porting uApprove functionality Limited logout capability added to 2.4 ECP (due to goal of not requiring container managed authn) – Polishing error handling – Audit Logging – Documentation • Nearing an alpha release, but documentation is the main hold up IDPv3 Config Compatibility • Aiming for compatibility with: – relying-party.xml (but deprecated) – attribute-resolver.xml – attribute-filter.xml • Not even trying: – handler.xml (*) – internal.xml (*) Some kind of migration help for simple login configs likely IDPv3 Config Changes • Much more use of native Spring, particularly internally, also to deal with advanced features • Properties file(s) used to configure many common settings without editing XML • User-editable and should-not-edit files are separated for clarity • Metadata sources separated from RelyingParty/Profile configuration • Authentication is completely different, but out of the box capability similar 2015-2016 Planning • Planning based on flat resources; reductions will require more prioritization of maintenance responsibilities against future work • Seeking community input on future projects Givens • • • • Stabilization work on V3 (small to medium) Java 8 support for V2 (small) SP Patch / Refresh (small) EDS Patch / Refresh (small) Impactful Items • V2 Support past mid'15 (s) • Product Docs (m) • Developer Docs (m) • Conceptual Docs (m) • SAML Logout (m) • SP Ext for IIS7+ (s) • Java SP (l) • OpenID Connect (l) • SP OAuth Authorization (m/l) • Central Discovery Service Refresh (m) • TestShib (m) • Consent Enhancements (s) • Atlassian Plugins (s) Questionables • SAML GSS-API Production Implementation – Major undertaking without significant outside help or long development cycle • SP Feature Update – Continues to be fairly ahead of the feature adoption curve • Office 365 – Recent Microsoft announcement casts doubt on need for WS-Trust support • OAuth IdP integration – Interoperability and scoping questions – Relationship to IdP feature set unclear Projected Income & Expenditure (Aug 2013-Jul 2014) • Income £302,149 • Principal Members • Other Members £199,426 £61,979 (Received to date = £267,610) • Expenditure • • • • • Developers Consortium Management Travel Website Other • Internet2 Expenditure £253,262 £185,712 £43,686 £15,000 £5,000 £3,864 $147,786 (~£88,244) Membership Fees Category Small Medium Large Principal Member €100,000 €100,000 €100,000 €10,000 <250 IdP+SPs €20,000 251-750 IdP+SPs €40,000 >750 IdP+SPs €2,000 <10K users €4,000 10-50K users €6,000 >50K users €4,000 <€10M €8,000 €10-100M €16,000 >€100M NREN/Federation Member Academic/Non-Profit Member Commercial Member Board Nominations • Members will select a Board representative in a forthcoming e-mail vote this summer • Call for nominations, here or by e-mail to contact@shibboleth.net Further Information • Shibboleth website http://shibboleth.net/ • Consortium documents Charter http://shibboleth.net/documents/shibboleth-charter-signed20130424.pdf Organisational Regulations http://shibboleth.net/documents/operatingresolution-20130529.pdf Shibboleth 3: A New Identity Platform http://shibboleth.net/documents/business-case.pdf • Joining the Consortium http://shibboleth.net/documents/application.pdf
