GridShib Development Roadmap

From Globus

Contents

[edit]

GridShib for GT

General references:

[edit]

Version 0.5.0

  • Release date: November 30, 2006
  • Compatibility with both GT4.0 and the GT4.1 development release
    • GT4.1 brings major authorization framework changes
    • separate binaries for each
    • source build will auto-sense target and adjust accordingly
  • an update to the identity based authorization feature
    • uses gridmap instead of DN ACL
    • allows services such as GRAM to (optionally) receive identity->user mappings if the caller is in the gridmap (if configured, this will short circuit attribute based authorization and attribute based user mapping for that caller)
  • logging enhancements
  • SAML authentication assertion PIP now only accepts bearer confirmation method
  • Bugfixes
[edit]

Version 0.5.1

  • Release date: February 15, 2007
  • Implement GT4.0 and GT4.1 authorization proxies for the VOMS interceptors (compatibility layer to enable use in both stable and development version of the GT security runtime)
  • Implement combined VOMS or Shibboleth attribute to account mapping
    • As with the current gridmap situation, GT4.0.x deployments cannot take advantage of a permit overrides and arbitrarily configure fallbacks.
    • To accomodate this we'll allow for a name mapping scheme that checks in this order and continues to fall back if no match/authz is granted: gridmap, VOMS, Shibboleth.
    • Add name mapping functionality to the current VOMS module
[edit]

Version 0.5.2

  • Release date: April 4, 2007
  • Primarily a maintenance release
[edit]

Version 0.6.0

This version of GS4GT will be compatibility tested with GT 4.0.

[edit]

Version 0.6.1

This version of GS4GT will be distributed with CTSS4.

  • Target release date: August 2008
  • Remove dependency on GT 4.2 JARs
    • Remove dependency on jce-jdk13-131.jar (Bug 6168)
    • Remove dependency on newer versions of XML JARs (which will be distributed with GT 4.0.8) (Bug 6218)
  • Incorporate gridshib-common-0_5_0.jar (Bug 5791)
  • Refactor blacklist framework (Bug 5966)
    • Allow blacklisting of identity attributes (such as e-mail address)
    • Create bootstrap properties file
    • Refactor ant build files and bootstrap application
    • Rename blacklistPrincipalNamesFile config parameter (which breaks backward compatibility)
  • Fix undeploy bug (Bug 6169)
  • Fix bugs in base GT 4.0 interceptors (Bug 6276 and Bug 6270)
  • Refactor binary build process (Bug 6074)
  • Configure bootstrap property (bug 6269)
  • Implement test harness
[edit]

Version 0.7.0

This version of GS4GT will be compatibility tested with GT 4.2.

  • Target release date: Unscheduled
  • Update GT 4.1/4.2 compatibility code to support new stand-alone authorization framework in GT 4.2
[edit]

Post-0.6.0 features

  • Extend SAMLAssertionPushPIP
    • extend policy language for pushed authentication context (AuthenticationMethod, AuthenticationInstant, etc.)
    • extend policy language for self-asserted attributes
    • parse nested SSO assertions (e.g., from GridShib CA or shib-enabled portal)
    • extend policy language for proxied attributes (in nested assertions)
    • parse signed, top-level assertions
    • extend policy language for signed attributes (in signed assertions)
  • Support for SAML V2.0 metadata
    • includes metadata production, distribution, and consumption
    • metadata facilitates federation; illustrate this by building a mini-federation around SAML metadata
  • Support for XACML V2.0
    • replace proprietary policy language with XACML
    • leverage Globus implementation of "SAML V2.0 Profile for XACML V2.0"
  • Implement Attribute Query PIP 2.0
    • retool the old attribute query PIP for SAML V2.0
    • essentially this is a axis-based version of Attribute Query Client 2.0
  • Implement full Attribute Acceptance Policy
    • enforce scoped attributes (scoped trust) in AttributeAcceptancePIP
    • filter out Shib handles (i.e., transient identifiers)
  • Extend blacklist functionality
    • allow ranges of IP addresses
    • allow blacklisting based on arbitrary user attributes (requires a database)
  • Use database for logging and blacklist administration
  • Integrate CAS and GridShib
    • support SAML Authorization Decision Statements
    • integrate CAS functionality
    • support authorization decision statements to construct limited proxies
    • support XACML statements to construct limited proxies
  • Add support for VOMS in security context and PDPs
  • Implement SAML authorization plugin for GridFTPd
[edit]

GridShib for Shib

This GridShib component is currently in hibernation.

[edit]

New Features

  • Support for Shibboleth 2.0
  • Implement Attribute Query Handler 2.0
    • refactor the current attribute query handler for Shib IdP 2.0
    • support Attribute Query PIP 2.0 and Attribute Query Client 2.0
  • Implement Authentication Request Handler 2.0
    • produce holder-of-key SSO assertions
    • support for Authentication Request Client 2.0
    • (this phase II of GSoC2008)
  • separate Certificate Registry from main distribution (make it totally optional)
[edit]

GridShib SAML Tools

  • The GridShib SAML Tools include:
    • SAML Assertion Issuer Tool
    • X.509 Binding Tool
    • SAML Security Info Tool
    • SAML Attribute Query Client (not fully integrated)
    • GridShib Common, including the GridShib Security Framework
    • Globus SAML Library
  • Detailed changelog
  • https://spaces.internet2.edu/display/GS/SAMLAssertionTools
  • GridShib SAML Tools replaces previous GridShib components (Authentication Assertion Client and Shibboleth IdP Tester)
[edit]

Version 0.1.0

  • Release date: December 22, 2006
  • Includes SAML Assertion Issuer Tool
  • Self-issues a SAML assertion with up to two statements
  • Optionally binds this assertion to an X.509 proxy certificate
  • Supports both SAML AuthenticationStatement and AttributeStatement
  • Separates the issuing of the SAML from the binding of the SAML
  • Automatically determines the assertion issuer from the issuing credential (the issuer of the assertion MUST be the issuer of the proxy)
  • Simple command-line options
  • Enhanced configuration options (via external config file)
  • Compatible with 0.5.0 GridShib for GT Authentication Assertion PIP
  • Compatible with upcoming 0.6.0 GridShib for GT Attribute Assertion Push PIP
  • Conforms to SAML V1.1 Subject-based Assertion Profile
  • Includes SAML X.509 Binding Tool
    • implements X.509 Binding for SAML Assertions
    • based on org.globus.wsrf.client.EmbedAssertion
  • See official announcement for more information
[edit]

Version 0.1.1

  • Release date: January 5, 2007
  • Support for Java KeyStore
  • Updated documentation
  • See official announcement for more information
[edit]

Version 0.1.2

  • Release date: January 19, 2007
  • Fixed incompatibility bugs with JDK 1.4
  • Fixed incompatibility bugs with OpenSAML 1.1
  • Enabled logging
  • Enabled debug option
  • Updated JGlobus CoG library
  • Added subjectIP address to command-line interface
  • See official announcement for more information
[edit]

Version 0.1.3

[edit]

Version 0.1.4

[edit]

Version 0.2.0

  • Release date: August 27, 2007
  • Java API for Portal developers
  • Same command-line interface as v0.1.x (but with more options)
    • Support for --authnInstant option
    • Support for --ssoResponse option
  • Added support for RFC3820-compliant proxy certificates
  • Added support for multi-valued attributes
  • Exposed a complete, standalone security framework
    • handles both production and consumption of embedded SAML
    • includes an implementation of SecurityContext
    • distributed as gridshib-common.jar
[edit]

Version 0.3.0

[edit]

Version 0.3.1

  • Released SAML Tools v0.3.1 on March 17, 2008
  • Fixes documentation bugs and adds new documentation
[edit]

Version 0.3.2

  • Released SAML Tools v0.3.2 on March 20, 2008
  • Fixes an important VOMS interoperability bug
[edit]

Version 0.4.0

  • Released SAML Tools v0.4.0 on May 28, 2008
  • Enhanced config loader framework
  • Refactored GlobusSAMLCredential
  • Modified Java API (for developers)
[edit]

Version 0.4.1

  • Release date: Jun 7, 2008
  • Fallout from GridShib-SimpleGrid integration
    • refactored BootstrapConfigLoader class
    • refactored GatewayCredential class
  • New demo app for TeraGrid 08 conference
[edit]

Version 0.4.2

  • Release date: June 11, 2008
  • Minor bug fixes only
[edit]

Version 0.5.0

  • Target release date: July 2008
  • New SAML Assertion Testing Tool
  • New SAML Assertion Extraction Tool
  • New SAML Assertion Verify Tool
  • New options to SAML Security Info Tool
  • Implement a vastly improved testing framework
  • Implement object equivalence in SAMLAttribute class
    • implement methods equals(Object) and hasEqualValues(Object)
  • Remove dependency on jce-jdk13-131.jar
  • Support for certPath and keyPath config params
  • Enhancements to GridShib Security Framework
    • implement SAMLPrincipal class
    • implement getSAMLPrincipals() method
  • Document how to deploy gridshib-common into tomcat
  • Other minor enhancements and numerous bug fixes
[edit]

Post-0.5 features

  • Deploy into $GLOBUS_LOCATION
  • Deploy into tomcat
    • deploy-gridshib-idp
    • deploy-teragrid-idp
    • deploy-gridshib-sp
  • Integrate Shibboleth attribute resolver
    • makes it easy for gateway developers to resolve attributes from LDAP, RDBMS, etc.
  • Support for SAML V2.0 assertions
    • upgrade to OpenSAML 2.0
  • Implement Attribute Query Client 2.0
    • query for attributes, validate the response, and output the assertion
    • analogous to VOMS-SAML client, but for Shib AA
    • (the current query client, based on OpenSAML 1.1, is unusable)
  • Implement Authentication Request Client 2.0
    • analogous to Attribute Query Client, but for the Shib SSO service
    • this is phase II of GSoC2008
  • Support for --relyingParty option
  • Support for geolocation
  • Implement ASN.1 SEQUENCE handling
    • Support multiple SAML assertions in a single X.509 certificate
  • Process nested assertions
    • Parse and log nested assertions
    • Implement policy for nested assertions
  • Parse SAMLAuthorizationDecisionStatement
  • Implement a more general Attribute class
    • Requested attributes (e.g., queries and metadata)
    • Issued attributes (in assertions)
    • Normalized attributes (in the security context)
  • Log security context to a database
[edit]

Globus SAML Library

  • [done] Bundled with GridShib SAML Tools and GridShib for GT
  • [done] Fork of OpenSAML 1.1 Java Classes
  • [done] augment license headers (if needed)
  • [done] rename package org.opensaml.nameid to org.globus.opensaml11.saml.nameid
  • [done] implement object equivalence
  • [done] enhance SAMLNameIdentifier class (and its unit test)
  • [done] enhance SAMLAttribute class (and its unit test)
  • implement SAMLAssertion.checkConditions method
  • [done] implement SAMLSubjectAssertion class (and corresponding unit test)
  • [done] implement SAMLSubjectAssertion.checkValidity method
  • [done] implement "very strongly matches" in SAMLSubjectAssertion
  • [in progress] implement "strongly matches" in SAMLSubject
  • [done] enhance SAMLSubjectTest
  • [done] implement concrete SAMLSubjectStatement class
  • override SAMLResponse.checkValidity method
  • [done] commit package org.globus.opensaml11.saml to CVS
[edit]

GridShib CA

The next major release will be 0.6.0. Goals for this release are described in Bug 5823 and may be commented on there as well.

See the changelog in the GridShib-CA documentation for history.

[edit]

Specifications

Retrieved from "http://dev.globus.org/wiki/GridShib_Development_Roadmap"
Personal tools
Execution Projects
Information projects
Distribution Projects
Documentation Projects
Deprecated