GridShib Development Roadmap
From Globus
High-level GridShib Roadmap items are outlined in bugzilla. The information below is fairly detailed and version-specific.
GridShib for GT
General references:
Version 0.5.0
- Release date: November 30, 2006
- Compatibility with both GT4.0 and the GT4.1 development release
- GT4.1 brings major authorization framework changes
- separate binaries for each
- source build will auto-sense target and adjust accordingly
- an update to the identity based authorization feature
- uses gridmap instead of DN ACL
- allows services such as GRAM to (optionally) receive identity->user mappings if the caller is in the gridmap (if configured, this will short circuit attribute based authorization and attribute based user mapping for that caller)
- logging enhancements
- SAML authentication assertion PIP now only accepts bearer confirmation method
- Bugfixes
Version 0.5.1
- Release date: February 15, 2007
- Implement GT4.0 and GT4.1 authorization proxies for the VOMS interceptors (compatibility layer to enable use in both stable and development version of the GT security runtime)
- Implement combined VOMS or Shibboleth attribute to account mapping
- As with the current gridmap situation, GT4.0.x deployments cannot take advantage of a permit overrides and arbitrarily configure fallbacks.
- To accomodate this we'll allow for a name mapping scheme that checks in this order and continues to fall back if no match/authz is granted: gridmap, VOMS, Shibboleth.
- Add name mapping functionality to the current VOMS module
Version 0.5.2
- Release date: April 4, 2007
- Primarily a maintenance release
Version 0.6.0
This version of GS4GT will be compatibility tested with GT 4.0.
- Release date: April 30, 2008
- Released GridShib for GT v0.6.0 Technology Preview 1 on May 14, 2007
- Released GridShib for GT v0.6.0 Technology Preview 2 on May 21, 2007
- Released GridShib for GT v0.6.0 Technology Preview 3 on June 25, 2007
- Released GridShib for GT v0.6.0 Technology Preview 4 on July 30, 2007
- Released GridShib for GT v0.6.0 Alpha on January 31, 2008
- Released GridShib for GT v0.6.0 Release Candidate 1 on April 7, 2008
- Released GridShib for GT v0.6.0 Release Candidate 2 on April 21, 2008
- Released GridShib for GT v0.6.0 Final on April 30, 2008
- See issue tracker Bug 5568
- Implement
SAMLAssertionPushPIP- traverse entire certificate chain
- consume X.509-bound SAML assertions containing
AuthenticationStatementand/orAttributeStatement - parse self-issued, top-level assertions only
- parse at most one assertion per certificate
- minimal support for query in conjunction with push
- Implement
AttributeAcceptancePIP- discard attributes from authorities that have no entity mapping (binary trust)
- Implement SAML Security Context
- security information vetted by
AttributeAcceptancePIPis considered trusted
- security information vetted by
- Implement GridShib Entity Mapper
- allow for mapping of SAML entityIDs to DNs
- Implement blacklisting
- Implement blacklist of IP addresses
- Implement blacklist of name identifiers
- Update echo service to
SecurityContextEchoService- rename WSDLs
- break out GT specific source directories
- Log all attributes including content of
AuthenticationStatement - See GridShib for GT Design page for more information
- GridShib_for_GT_0_6_0 documentation is a page that is being used to organize the documentation overhaul
Version 0.6.1
This version of GS4GT will be incorporated into the Science Gateway Capability Kit v1 for CTSS4.
- Release date: September 26, 2008
- Released GridShib for GT v0.6.1 Release Candidate 1 on August 1, 2008
- Released GridShib for GT v0.6.1 Release Candidate 2 on September 15, 2008
- Released GridShib for GT v0.6.1 Final on September 26, 2008
- Remove dependency on GT 4.2 JARs
- Incorporate gridshib-common-0_5_0.jar (Bug 5791)
- Refactor blacklist framework (Bug 5966)
- Allow blacklisting of identity attributes (such as e-mail address)
- Create bootstrap properties file
- Refactor ant build files and bootstrap application
- Rename
blacklistPrincipalNamesFileconfig parameter (which breaks backward compatibility)
- Fix undeploy bug (Bug 6169)
- Fix bugs in base GT 4.0 interceptors (Bug 6276 and Bug 6270)
- Refactor binary build process (Bug 6074)
- Configure bootstrap property (bug 6269)
- Implement test harness
Version 0.6.2
This version of GS4GT will be incorporated into the Science Gateway Capability Kit v2 for CTSS4.
- Not released
- Incorporate into Capability Kit v2 (Bug 6428)
- Deploy GS-ST into GS4GT and hence into
$GLOBUS_LOCATION(Bug 6426) - Support multiple DNs in metadata (Bug 6427)
- BUG: absolute path in gridshib-bootstrap.properties (Bug 6555)
- made compatibility-breaking API CHANGE to GridShib Common
- Select
gateway_userfromgram_audit_table(Bug 6566)
Version 0.6.3
This version of GS4GT will be compatibility tested with GT 4.2.
- Target release date: unscheduled
- Update GT 4.1/4.2 compatibility code to support new stand-alone authorization framework in GT 4.2 (Bug 6214)
Version 0.7.0
- Target release date: unscheduled
- Add PIP config param to control logging (Bug 6444)
- Refactor gridmap short-circuiting in
GridShibPDP(Bug 6497) - Document GS4GT admin log (Bug 6413)
- Identify Globus principals in log files (Bug 6443)
Post-0.7 features
- Extend
SAMLAssertionPushPIP- extend policy language for pushed authentication context (
AuthenticationMethod,AuthenticationInstant, etc.) - extend policy language for self-asserted attributes
- parse nested SSO assertions (e.g., from GridShib CA or shib-enabled portal)
- extend policy language for proxied attributes (in nested assertions)
- extend policy language for pushed authentication context (
- Support for signed, holder-of-key SAML tokens (Bug 6507)
- extend policy language for signed attributes (in signed, holder-of-key assertions)
- Support for SAML V2.0 metadata (Bug 6504)
- includes metadata production, distribution, and consumption
- metadata facilitates federation; illustrate this by building a mini-federation around SAML metadata
- Support for XACML V2.0
- replace proprietary policy language with XACML
- leverage Globus implementation of "SAML V2.0 Profile for XACML V2.0"
- Implement Attribute Query PIP 2.0
- retool the old attribute query PIP for SAML V2.0
- essentially this is a axis-based version of Attribute Query Client 2.0
- Implement full Attribute Acceptance Policy
- improve attribute acceptance policy for end users (Bug 6409)
- enforce scoped attributes (scoped trust) in
AttributeAcceptancePIP - filter out Shib handles (i.e., transient identifiers)
- Extend blacklist functionality
- allow ranges of IP addresses
- allow blacklisting based on arbitrary user attributes (requires a database)
- Use database for logging and blacklist administration
- Integrate CAS and GridShib
- support SAML Authorization Decision Statements
- integrate CAS functionality
- support authorization decision statements to construct limited proxies
- support XACML statements to construct limited proxies
- Add support for VOMS in security context and PDPs
- Implement SAML authorization plugin for GridFTPd
GridShib for Shib
This GridShib component is currently in hibernation.
New Features
- Support for Shibboleth 2.0
- Implement Attribute Query Handler 2.0
- refactor the current attribute query handler for Shib IdP 2.0
- support Attribute Query PIP 2.0 and Attribute Query Client 2.0
- Implement Authentication Request Handler 2.0
- produce holder-of-key SSO assertions
- support for Authentication Request Client 2.0
- (this phase II of GSoC2008)
- separate Certificate Registry from main distribution (make it totally optional)
GridShib SAML Tools
- The GridShib SAML Tools include:
- SAML Assertion Issuer Tool
- X.509 Binding Tool
- SAML Security Info Tool
- SAML Attribute Query Client (not fully integrated)
- GridShib Common, including the GridShib Security Framework
- Globus SAML Library
- Detailed changelog
- https://spaces.internet2.edu/display/GS/SAMLAssertionTools
- GridShib SAML Tools replaces previous GridShib components (Authentication Assertion Client and Shibboleth IdP Tester)
Version 0.1.0
- Release date: December 22, 2006
- Includes SAML Assertion Issuer Tool
- Self-issues a SAML assertion with up to two statements
- Optionally binds this assertion to an X.509 proxy certificate
- Supports both SAML
AuthenticationStatementandAttributeStatement - Separates the issuing of the SAML from the binding of the SAML
- Automatically determines the assertion issuer from the issuing credential (the issuer of the assertion MUST be the issuer of the proxy)
- Simple command-line options
- Enhanced configuration options (via external config file)
- Compatible with 0.5.0 GridShib for GT Authentication Assertion PIP
- Compatible with upcoming 0.6.0 GridShib for GT Attribute Assertion Push PIP
- Conforms to SAML V1.1 Subject-based Assertion Profile
- Includes SAML X.509 Binding Tool
- implements X.509 Binding for SAML Assertions
- based on org.globus.wsrf.client.EmbedAssertion
- See official announcement for more information
Version 0.1.1
- Release date: January 5, 2007
- Support for Java KeyStore
- Updated documentation
- See official announcement for more information
Version 0.1.2
- Release date: January 19, 2007
- Fixed incompatibility bugs with JDK 1.4
- Fixed incompatibility bugs with OpenSAML 1.1
- Enabled logging
- Enabled debug option
- Updated JGlobus CoG library
- Added subjectIP address to command-line interface
- See official announcement for more information
Version 0.1.3
- Release date: February 14, 2007
- See official announcement for more information
Version 0.1.4
- Release date: May 14, 2007
- See official announcement for more information
Version 0.2.0
- Release date: August 27, 2007
- Released GridShib SAML Tools 0.2.0 TP1 on July 30, 2007
- Released GridShib SAML Tools 0.2.0 TP2 on August 13, 2007
- Released GridShib SAML Tools 0.2.0 Final Release on August 27, 2007
- Java API for Portal developers
- Same command-line interface as v0.1.x (but with more options)
- Support for
--authnInstantoption - Support for
--ssoResponseoption
- Support for
- Added support for RFC3820-compliant proxy certificates
- Added support for multi-valued attributes
- Exposed a complete, standalone security framework
- handles both production and consumption of embedded SAML
- includes an implementation of
SecurityContext - distributed as gridshib-common.jar
Version 0.3.0
- Release date: March 3, 2008
- Released GridShib SAML Tools v0.3.0 Alpha on January 31, 2008
- Released SAML Tools v0.3.0 Release Candidate on February 25, 2008
- The final release of SAML Tools v0.3.0 was announced on March 3, 2008
- See issue tracker Bug 5748
- New SAML Security Info Tool
- New X.509 Binding Tool
- New command-line options:
--properties,--asn1 - Enhanced SAML security context and helper utilities
- Support for TeraGrid Science Gateway Use Case
Version 0.3.1
- Released SAML Tools v0.3.1 on March 17, 2008
- Fixes documentation bugs and adds new documentation
Version 0.3.2
- Released SAML Tools v0.3.2 on March 20, 2008
- Fixes an important VOMS interoperability bug
Version 0.4.0
- Released SAML Tools v0.4.0 on May 28, 2008
- Enhanced config loader framework
- Refactored GlobusSAMLCredential
- Modified Java API (for developers)
Version 0.4.1
- Release date: Jun 7, 2008
- Fallout from GridShib-SimpleGrid integration
- refactored BootstrapConfigLoader class
- refactored GatewayCredential class
- New demo app for TeraGrid 08 conference
Version 0.4.2
- Release date: June 11, 2008
- Minor bug fixes only
Version 0.5.0
- Release date: September 10, 2008
- Released GridShib SAML Tools v0.5.0 Release Candidate 1 on July 8, 2008
- Released GridShib SAML Tools v0.5.0 Release Candidate 2 on August 1, 2008
- Released GridShib SAML Tools v0.5.0 Release Candidate 3 on September 5, 2008
- Released GridShib SAML Tools v0.5.0 Final on September 10, 2008
- New SAML Assertion Testing Tool
- New SAML Assertion Extraction Tool
- New SAML Assertion Verify Tool
- New options to SAML Security Info Tool
- Implement a vastly improved testing framework
- Implement object equivalence in
SAMLAttributeclass- implemented methods
equals(Object)andhasEqualValues(Object)
- implemented methods
- Remove dependency on jce-jdk13-131.jar
- Support for
certPathandkeyPathconfig params - Enhancements to GridShib Security Framework
- implemented
SAMLPrincipalclass - implemented
getSAMLPrincipals()method
- implemented
- Create new GS-ST test credential (Bug 6319)
- created a new CA credential and end-entity credential for testing purposes
- created a Globus trusted CA cert and signing policy file
- Bug: unidentified SAML principals (Bug 6335)
- implemented new
SAMLPrincipalclass withIDmember
- implemented new
- Remove dependency on abs paths from properties files (Bug 6342)
- added system property
gridshib.hometo scripts and build files - added support for relative paths in properties files
- added system property
- Document how to deploy gridshib-common into tomcat
- Other minor enhancements and numerous bug fixes
Version 0.5.1
- Not released
- Add SAML extension to the Meaningless EEC (Bug 6403)
- Bind SAML attributes to the Meaningless EEC
- Include scripts for installing the Meaningless EEC
- Deploy GS-ST into GS4GT and hence into
$GLOBUS_LOCATION(Bug 6426) - Add support for one-to-many file-based mappings (Bug 6500)
- Upgrade to compatible log4j version (Bug 6423)
- Update tg-gateway-config.properties to latest naming conventions
- Implement utility class for GRAM Audit V1 extension (Bug 6449)
Version 0.5.2
- Not released
- Improve support for one-to-many file-based mappings (Bug 6500)
- Refactor the
EntityMapinterface (Bug 6501)
Version 0.5.3
- Not released
- Deployed binary distribution of GS-ST v0.5.3 into GS4GT v0.6.2 (Bug 6426)
- Remove dependency on abs paths from properties files
- Implement new PropertiesUtil class (Bug 6555 Comment #9)
- Enable variable substitution in BootstrapConfigLoader (Bug 6555 Comment #10) including a compatibility-breaking API change
- Implemented new --certPath and --keyPath command-line options (Bug 6571)
Version 0.6.0
- Target release date: unscheduled
- Analyze the use of static methods in
GridShibEntityMapper(Bug 5550) - Implement unit tests for test credentials (Bug 6361)
- Implement explicit holder-of-key subject confirmation (Bug 6405)
- Introduce new concept: security items are accepted, not trusted (Bug 6406)
- Upgrade to compatible cog-jglobus version (Bug 6425)
- Bind holder-of-key SAML token to Meaningless EEC (Bug 6410)
- Fix
--infilecommand-line option (Bug 6445)
Post-0.6 features
- Implement
gridshib-proxy-init(Bug 6419) - Implement self-asserted attributes (Bug 6407)
- Deploy into tomcat
- deploy-gridshib-idp
- deploy-teragrid-idp
- deploy-gridshib-sp
- Integrate Shibboleth attribute resolver
- makes it easy for gateway developers to resolve attributes from LDAP, RDBMS, etc.
- Support for SAML V2.0 assertions (Bug 6505)
- upgrade to OpenSAML 2.0
- Implement Attribute Query Client 2.0
- query for attributes, validate the response, and output the assertion
- analogous to VOMS-SAML client, but for Shib AA
- (the current query client, based on OpenSAML 1.1, is unusable)
- Implement Authentication Request Client 2.0 (Bug 6506)
- analogous to Attribute Query Client, but for the Shib SSO service
- this is phase II of GSoC2008
- Support for
--relyingPartyoption - Support for geolocation
- Implement ASN.1 SEQUENCE handling
- Support multiple SAML assertions in a single X.509 certificate
- Process nested assertions
- Parse and log nested assertions
- Implement policy for nested assertions
- Parse
SAMLAuthorizationDecisionStatement - Implement a more general Attribute class
- Requested attributes (e.g., queries and metadata)
- Issued attributes (in assertions)
- Normalized attributes (in the security context)
- Log security context to a database
Globus SAML Library
- [done] Bundled with GridShib SAML Tools and GridShib for GT
- [done] Fork of OpenSAML 1.1 Java Classes
- [done] augment license headers (if needed)
- [done] rename package org.opensaml.nameid to org.globus.opensaml11.saml.nameid
- [done] implement object equivalence
- [done] enhance
SAMLNameIdentifierclass (and its unit test) - [done] enhance
SAMLAttributeclass (and its unit test) - implement
SAMLAssertion.checkConditionsmethod - [done] implement
SAMLSubjectAssertionclass (and corresponding unit test) - [done] implement
SAMLSubjectAssertion.checkValiditymethod - [done] implement "very strongly matches" in
SAMLSubjectAssertion - [in progress] implement "strongly matches" in
SAMLSubject - [done] enhance
SAMLSubjectTest - [done] implement concrete
SAMLSubjectStatementclass - override
SAMLResponse.checkValiditymethod - [done] commit package org.globus.opensaml11.saml to CVS
GridShib CA
An overview of the GridShib-CA roadmap can be found in this Google doc.
The next major release will be 1.0.0. Goals for this release are described in Bug 5823 and may be commented on there as well.
The following major release will be 2.0.0. Goals for this release are described in Bug 6808 and may be commented on there as well.
See the changelog in the GridShib-CA documentation for history.
Specifications
- [in progress] Subject-based Assertion Profile for SAML V1.1
- http://dev.globus.org/wiki/SAML_in_X.509_Validation#Subject-based_Assertion_Profile
- specify general requirements for SAML V1.1 assertions to make them equivalent to SAML V2.0 assertions
- define the notion of a set of subject-based assertions
- X.509 Binding for SAML Assertions
- SAML 2.0 versions
