Shibboleth
&
Shibboleth Consortium
Background
• Shibboleth evolved out of Internet2 Middleware Activity in 2000, with first
release in 2003.
• Significant funding from Internet2 (USA) and latterly JISC (UK) resulted in
wide adoption by research and education communities enterprises around
the world.
• Used by 26 national federations (as of May 2013):
UKAMF (UK), InCommon (US), SWITCHaai (Switzerland), AAF (Australia),
[email protected] (Croatia), ACOnet (Austria), Belnet (Belgium), CAF (Canada), CAFe
(Brazil), CARSI (China), CESNET (Czech Republic), COFRe (Chile), DFN-AAI
(Germany), Edugate (Ireland), eduID.hu (Hungary), GakuNin (Japan), GRNET
(Greece), Haka (Finland), IDEM (Italy), LAIFE (Latvia), Tuakiri (New Zealand),
RCTSaai (Portugal), RENATER (France), SIArnesAAI (Slovenia), SWAMID (Sweden),
TAAT (Estonia) and ULAKAAI (Turkey).
Shibboleth Consortium
• Ongoing funding for development, maintenance and support was
identified as problematic.
• Aimed to build on Shibboleth adoption and broaden funding base,
as well as derive benefits from increasing commercial usage.
• Recognised that formal structure was required to receive
contributions, pay developers, and determine the technical
direction of the project.
• Internet2, Janet and SWITCH agreed to form Shibboleth Consortium
and signed charter establishing this in April 2013.
• Developing membership to ensure sustainability.
Consortium Membership
• Principal Members (those contributing €120K per year)
Internet2 (US), Janet (UK) & SWITCH (Switzerland)
• Federation Members
ACOnet (Austria), NII/GakuNin (Japan), CSC/Haka (Finland), RENATER
(France) & NORDUnet (Nordic region)
• Academic / Non-Profit Members
Carnegie Mellon University (US) & LIGO Scientific Collaboration (US)
• Commercial Members
TBD?
Consortium Structure
S. Cantor (Ohio State)
J. Sharp (Janet)
S. Waggener (I2)
C. Witzig (SWITCH)
K. Meynell (Janet)
Membership Fees
Category
Small
Medium
Large
Principal
Member
€100,000
€100,000
€100,000
€10,000
<250 IdP+SPs
€20,000
251-750 IdP+SPs
€40,000
>750 IdP+SPs
€2,000
<10K users
€4,000
10-50K users
€6,000
>50K users
€4,000
<€10M
€8,000
€10-100M
€16,000
>€100M
NREN/Federation
Member
Academic/Non-Profit
Member
Commercial
Member
Project Update
• All products in maintenance mode pending release of
IdPv3, apart from security issue response
• Heartbleed Update
• Relatively minimal impact on project, as opposed to
federations, deployers
• SP patch issued within a week
• Longer term: V3 likely to include a separately generated
key for SOAP security, and a continued goal of deemphasizing back channel profiles
IDPv3 Status
• Probably 80% feature complete
• Major TODOs:
–
–
–
–
Install / upgrade scripts
Porting uApprove functionality
Limited logout capability added to 2.4
ECP (due to goal of not requiring container managed
authn)
– Polishing error handling
– Audit Logging
– Documentation
• Nearing an alpha release, but documentation is the
main hold up
IDPv3 Config Compatibility
• Aiming for compatibility with:
– relying-party.xml (but deprecated)
– attribute-resolver.xml
– attribute-filter.xml
• Not even trying:
– handler.xml (*)
– internal.xml
(*) Some kind of migration help for simple login
configs likely
IDPv3 Config Changes
• Much more use of native Spring, particularly
internally, also to deal with advanced features
• Properties file(s) used to configure many
common settings without editing XML
• User-editable and should-not-edit files are
separated for clarity
• Metadata sources separated from
RelyingParty/Profile configuration
• Authentication is completely different, but out of
the box capability similar
2015-2016 Planning
• Planning based on flat resources; reductions
will require more prioritization of
maintenance responsibilities against future
work
• Seeking community input on future projects
Givens
•
•
•
•
Stabilization work on V3 (small to medium)
Java 8 support for V2 (small)
SP Patch / Refresh (small)
EDS Patch / Refresh (small)
Impactful Items
• V2 Support past mid'15 (s)
• Product Docs (m)
• Developer Docs (m)
• Conceptual Docs (m)
• SAML Logout (m)
• SP Ext for IIS7+ (s)
• Java SP (l)
• OpenID Connect (l)
• SP OAuth
Authorization (m/l)
• Central Discovery
Service Refresh (m)
• TestShib (m)
• Consent
Enhancements (s)
• Atlassian Plugins (s)
Questionables
• SAML GSS-API Production Implementation
– Major undertaking without significant outside help or long
development cycle
• SP Feature Update
– Continues to be fairly ahead of the feature adoption curve
• Office 365
– Recent Microsoft announcement casts doubt on need for
WS-Trust support
• OAuth IdP integration
– Interoperability and scoping questions
– Relationship to IdP feature set unclear
Projected Income & Expenditure
(Aug 2013-Jul 2014)
• Income
£302,149
• Principal Members
• Other Members
£199,426
£61,979
(Received to date = £267,610)
• Expenditure
•
•
•
•
•
Developers
Consortium Management
Travel
Website
Other
• Internet2 Expenditure
£253,262
£185,712
£43,686
£15,000
£5,000
£3,864
$147,786 (~£88,244)
Membership Fees
Category
Small
Medium
Large
Principal
Member
€100,000
€100,000
€100,000
€10,000
<250 IdP+SPs
€20,000
251-750 IdP+SPs
€40,000
>750 IdP+SPs
€2,000
<10K users
€4,000
10-50K users
€6,000
>50K users
€4,000
<€10M
€8,000
€10-100M
€16,000
>€100M
NREN/Federation
Member
Academic/Non-Profit
Member
Commercial
Member
Board Nominations
• Members will select a Board representative in
a forthcoming e-mail vote this summer
• Call for nominations, here or by e-mail to
[email protected]
Further Information
• Shibboleth website
http://shibboleth.net/
• Consortium documents
Charter http://shibboleth.net/documents/shibboleth-charter-signed20130424.pdf
Organisational Regulations http://shibboleth.net/documents/operatingresolution-20130529.pdf
Shibboleth 3: A New Identity Platform
http://shibboleth.net/documents/business-case.pdf
• Joining the Consortium
http://shibboleth.net/documents/application.pdf
Download

here - Shibboleth