Shibboleth%20

1
ShibbolethShibboleth Consortium
2
Background

• Shibboleth evolved out of Internet2 Middleware
  Activity in 2000, with first release in 2003.
• Significant funding from Internet2 (USA) and
  latterly JISC (UK) resulted in wide adoption by
  research and education communities enterprises
  around the world.
• Used by 26 national federations (as of May 2013)
• UKAMF (UK), InCommon (US), SWITCHaai
  (Switzerland), AAF (Australia), AAI_at_EduHR
  (Croatia), ACOnet (Austria), Belnet (Belgium),
  CAF (Canada), CAFe (Brazil), CARSI (China),
  CESNET (Czech Republic), COFRe (Chile), DFN-AAI
  (Germany), Edugate (Ireland), eduID.hu (Hungary),
  GakuNin (Japan), GRNET (Greece), Haka (Finland),
  IDEM (Italy), LAIFE (Latvia), Tuakiri (New
  Zealand), RCTSaai (Portugal), RENATER (France),
  SIArnesAAI (Slovenia), SWAMID (Sweden), TAAT
  (Estonia) and ULAKAAI (Turkey).

3
Shibboleth Consortium

• Ongoing funding for development, maintenance and
  support was identified as problematic.
• Aimed to build on Shibboleth adoption and broaden
  funding base, as well as derive benefits from
  increasing commercial usage.
• Recognised that formal structure was required to
  receive contributions, pay developers, and
  determine the technical direction of the project.
• Internet2, Janet and SWITCH agreed to form
  Shibboleth Consortium and signed charter
  establishing this in April 2013.
• Developing membership to ensure sustainability.

4
Consortium Membership

• Principal Members (those contributing 120K per
  year)
• Internet2 (US), Janet (UK) SWITCH (Switzerland)
• Federation Members
• ACOnet (Austria), NII/GakuNin (Japan), CSC/Haka
  (Finland), RENATER (France) NORDUnet (Nordic
  region)
• Academic / Non-Profit Members
• Carnegie Mellon University (US) LIGO Scientific
  Collaboration (US)
• Commercial Members
• TBD?

5
Consortium Structure
S. Cantor (Ohio State) J. Sharp (Janet) S.
Waggener (I2) C. Witzig (SWITCH)
K. Meynell (Janet)
6
Membership Fees
Category Small Medium Large
Principal Member 100,000 100,000 100,000
NREN/Federation Member 10,000 lt250 IdPSPs 20,000 251-750 IdPSPs 40,000 gt750 IdPSPs
Academic/Non-Profit Member 2,000 lt10K users 4,000 10-50K users 6,000 gt50K users
Commercial Member 4,000 lt10M 8,000 10-100M 16,000 gt100M
7
Project Update

• All products in maintenance mode pending release
  of IdPv3, apart from security issue response
• Heartbleed Update
• Relatively minimal impact on project, as opposed
  to federations, deployers
• SP patch issued within a week
• Longer term V3 likely to include a separately
  generated key for SOAP security, and a continued
  goal of de-emphasizing back channel profiles

8
IDPv3 Status

• Probably 80 feature complete
• Major TODOs
• Install / upgrade scripts
• Porting uApprove functionality
• Limited logout capability added to 2.4
• ECP (due to goal of not requiring container
  managed authn)
• Polishing error handling
• Audit Logging
• Documentation
• Nearing an alpha release, but documentation is
  the main hold up

9
IDPv3 Config Compatibility

• Aiming for compatibility with
• relying-party.xml (but deprecated)
• attribute-resolver.xml
• attribute-filter.xml
• Not even trying
• handler.xml ()
• internal.xml
• () Some kind of migration help for simple login
  configs likely

10
IDPv3 Config Changes

• Much more use of native Spring, particularly
  internally, also to deal with advanced features
• Properties file(s) used to configure many common
  settings without editing XML
• User-editable and should-not-edit files are
  separated for clarity
• Metadata sources separated from
  RelyingParty/Profile configuration
• Authentication is completely different, but out
  of the box capability similar

11
2015-2016 Planning

• Planning based on flat resources reductions will
  require more prioritization of maintenance
  responsibilities against future work
• Seeking community input on future projects

12
Givens

• Stabilization work on V3 (small to medium)
• Java 8 support for V2 (small)
• SP Patch / Refresh (small)
• EDS Patch / Refresh (small)

13
Impactful Items

• V2 Support past mid-'15 (s)
• Product Docs (m)
• Developer Docs (m)
• Conceptual Docs (m)
• SAML Logout (m)
• SP Ext for IIS7 (s)
• Java SP (l)

• OpenID Connect (l)
• SP OAuth Authorization (m/l)
• Central Discovery Service Refresh (m)
• TestShib (m)
• Consent Enhancements (s)
• Atlassian Plugins (s)

14
Questionables

• SAML GSS-API Production Implementation
• Major undertaking without significant outside
  help or long development cycle
• SP Feature Update
• Continues to be fairly ahead of the feature
  adoption curve
• Office 365
• Recent Microsoft announcement casts doubt on need
  for WS-Trust support
• OAuth IdP integration
• Interoperability and scoping questions
• Relationship to IdP feature set unclear

15
Projected Income Expenditure(Aug 2013-Jul 2014)

• Income 302,149
• Principal Members 199,426
• Other Members 61,979
• (Received to date 267,610)
• Expenditure 253,262
• Developers 185,712
• Consortium Management 43,686
• Travel 15,000
• Website 5,000
• Other 3,864
• Internet2 Expenditure 147,786 (88,244)

16
Membership Fees
Category Small Medium Large
Principal Member 100,000 100,000 100,000
NREN/Federation Member 10,000 lt250 IdPSPs 20,000 251-750 IdPSPs 40,000 gt750 IdPSPs
Academic/Non-Profit Member 2,000 lt10K users 4,000 10-50K users 6,000 gt50K users
Commercial Member 4,000 lt10M 8,000 10-100M 16,000 gt100M
17
Board Nominations

• Members will select a Board representative in a
  forthcoming e-mail vote this summer
• Call for nominations, here or by e-mail to
  contact_at_shibboleth.net

18
Further Information

• Shibboleth website
• http//shibboleth.net/
• Consortium documents
• Charter http//shibboleth.net/documents/shibboleth
  -charter-signed-20130424.pdf
• Organisational Regulations http//shibboleth.net/d
  ocuments/operating-resolution-20130529.pdf
• Shibboleth 3 A New Identity Platform
• http//shibboleth.net/documents/business-case.pdf
• Joining the Consortium
• http//shibboleth.net/documents/application.pdf