Shibboleth&
Shibboleth Consortium
Background
• Shibboleth evolved out of Internet2 Middleware Activity in 2000, with first release in 2003.
• Significant funding from Internet2 (USA) and latterly JISC (UK) resulted in wide adoption by research and education communities enterprises around the world.
• Used by 26 national federations (as of May 2013):
UKAMF (UK), InCommon (US), SWITCHaai (Switzerland), AAF (Australia), AAI@EduHR (Croatia), ACOnet (Austria), Belnet (Belgium), CAF (Canada), CAFe (Brazil), CARSI (China), CESNET (Czech Republic), COFRe (Chile), DFN-AAI (Germany), Edugate (Ireland), eduID.hu (Hungary), GakuNin (Japan), GRNET (Greece), Haka (Finland), IDEM (Italy), LAIFE (Latvia), Tuakiri (New Zealand), RCTSaai (Portugal), RENATER (France), SIArnesAAI (Slovenia), SWAMID (Sweden), TAAT (Estonia) and ULAKAAI (Turkey).
Shibboleth Consortium
• Ongoing funding for development, maintenance and support was identified as problematic.
• Aimed to build on Shibboleth adoption and broaden funding base, as well as derive benefits from increasing commercial usage.
• Recognised that formal structure was required to receive contributions, pay developers, and determine the technical direction of the project.
• Internet2, Janet and SWITCH agreed to form Shibboleth Consortium and signed charter establishing this in April 2013.
• Developing membership to ensure sustainability.
Consortium Membership
• Principal Members (those contributing €120K per year)
Internet2 (US), Janet (UK) & SWITCH (Switzerland)
• Federation Members
ACOnet (Austria), NII/GakuNin (Japan), CSC/Haka (Finland), RENATER (France) & NORDUnet (Nordic region)
• Academic / Non-Profit Members
Carnegie Mellon University (US) & LIGO Scientific Collaboration (US)
• Commercial Members
TBD?
Consortium StructureS. Cantor (Ohio State)J. Sharp (Janet)S. Waggener (I2)C. Witzig (SWITCH)
K. Meynell (Janet)
Membership Fees
Category Small Medium Large
PrincipalMember
€100,000 €100,000 €100,000
NREN/FederationMember
€10,000<250 IdP+SPs
€20,000251-750 IdP+SPs
€40,000>750 IdP+SPs
Academic/Non-Profit Member
€2,000<10K users
€4,00010-50K users
€6,000>50K users
CommercialMember
€4,000<€10M
€8,000€10-100M
€16,000>€100M
Project Update
• All products in maintenance mode pending release of IdPv3, apart from security issue response
• Heartbleed Update
• Relatively minimal impact on project, as opposed to federations, deployers
• SP patch issued within a week
• Longer term: V3 likely to include a separately generated key for SOAP security, and a continued goal of de-emphasizing back channel profiles
IDPv3 Status
• Probably 80% feature complete• Major TODOs:– Install / upgrade scripts– Porting uApprove functionality– Limited logout capability added to 2.4– ECP (due to goal of not requiring container managed
authn)– Polishing error handling– Audit Logging– Documentation
• Nearing an alpha release, but documentation is the main hold up
IDPv3 Config Compatibility
• Aiming for compatibility with:– relying-party.xml (but deprecated)– attribute-resolver.xml– attribute-filter.xml
• Not even trying:– handler.xml (*)– internal.xml
(*) Some kind of migration help for simple login configs likely
IDPv3 Config Changes
• Much more use of native Spring, particularly internally, also to deal with advanced features
• Properties file(s) used to configure many common settings without editing XML
• User-editable and should-not-edit files are separated for clarity
• Metadata sources separated from RelyingParty/Profile configuration
• Authentication is completely different, but out of the box capability similar
2015-2016 Planning
• Planning based on flat resources; reductions will require more prioritization of maintenance responsibilities against future work
• Seeking community input on future projects
Givens
• Stabilization work on V3 (small to medium)• Java 8 support for V2 (small)• SP Patch / Refresh (small)• EDS Patch / Refresh (small)
Impactful Items
• V2 Support past mid-'15 (s)
• Product Docs (m)• Developer Docs (m)• Conceptual Docs (m)• SAML Logout (m)• SP Ext for IIS7+ (s)• Java SP (l)
• OpenID Connect (l)• SP OAuth
Authorization (m/l)• Central Discovery
Service Refresh (m)• TestShib (m)• Consent
Enhancements (s)• Atlassian Plugins (s)
Questionables
• SAML GSS-API Production Implementation– Major undertaking without significant outside help or long
development cycle• SP Feature Update– Continues to be fairly ahead of the feature adoption curve
• Office 365– Recent Microsoft announcement casts doubt on need for
WS-Trust support• OAuth IdP integration– Interoperability and scoping questions– Relationship to IdP feature set unclear
Projected Income & Expenditure(Aug 2013-Jul 2014)
• Income £302,149• Principal Members £199,426• Other Members £61,979
(Received to date = £267,610)
• Expenditure £253,262• Developers £185,712• Consortium Management £43,686• Travel £15,000• Website £5,000• Other £3,864
• Internet2 Expenditure $147,786 (~£88,244)
Membership Fees
Category Small Medium Large
PrincipalMember
€100,000 €100,000 €100,000
NREN/FederationMember
€10,000<250 IdP+SPs
€20,000251-750 IdP+SPs
€40,000>750 IdP+SPs
Academic/Non-Profit Member
€2,000<10K users
€4,00010-50K users
€6,000>50K users
CommercialMember
€4,000<€10M
€8,000€10-100M
€16,000>€100M
Board Nominations
• Members will select a Board representative in a forthcoming e-mail vote this summer
• Call for nominations, here or by e-mail to [email protected]
Further Information
• Shibboleth website
http://shibboleth.net/
• Consortium documents
Charter http://shibboleth.net/documents/shibboleth-charter-signed-20130424.pdf
Organisational Regulations http://shibboleth.net/documents/operating-resolution-20130529.pdf
Shibboleth 3: A New Identity Platformhttp://shibboleth.net/documents/business-case.pdf
• Joining the Consortium
http://shibboleth.net/documents/application.pdf
Recommended
