565
szerkesztés
Módosítások
2.2.0-slo10
SAML profiles specification (section 4.4.3.1) clearly states that front-channel should be preferred when sending the logoutrequest to the session authority (IdP). If the user interface is generated by the IdP, it could inform the user about the whole logout process, and each SP response. If the SP would use back-channel logoutrequest, the IdP's response would only contain minimal information (ie. success or failure), and this is not desirable. Also, the IdP would need to execute back-channel requests in parallel and synchronize them with the originating request, so this would make the processing code much more complex.
=== Our proposed Technical solution ===
Our proposal is to prefer back-channel endpoints at the service provider side, unless your application needs to be notified via front-channel. For example,
* if your application behind your SP needs the session cookie with the notification, use only front-channel bindings in the SP metadata,
By these mutually exclusive endpoint sets, the SP can clearly advise the IdP which binding it should use when contanting this SP. Thus on the IdP side, both implementations need to be available.
=== Non-technical solution ===
Another option would be to add a new requirement for your end users. You can claim that banning third-party cookies is unsupported (because it breaks SLO), just like disabling all cookies (which breaks SSO). Convincing your users (and the Shibboleth developers to accept this solution) might be dubious, though.
== Features ==
=== Released versions ===
* download the latest binary snapshot version from our [http://software.niif.hu software distribution site] ==== v2.2.0-slo10 ====* fix configuration templates* source code snapshots** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-shib-common.git;a=snapshot;h=23593c89903cff2fb53bdb939bd463754496a439;sf=tgz shibboleth-common-1.2.0-slo2]** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-idp.git;a=snapshot;h=275bda0758df9f5f26f35eb69a690b63b697e520;sf=tgz shibboleth-identityprovider-2.2.0-slo10] ==== v2.2.0-slo9 ====* allow EncryptedID to be used in the initiating request (patch contributed by Michael Simon from Karlsruher Institut für Technologie)* expose method for programatical back-channel logout* source code snapshots** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-shib-common.git;a=snapshot;h=23593c89903cff2fb53bdb939bd463754496a439;sf=tgz shibboleth-common-1.2.0-slo2]** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-idp.git;a=snapshot;h=46ae3f6475ed578440c72bec3c9a63b387854a70;sf=tgz shibboleth-identityprovider-2.2.0-slo9] ==== v2.1.5-slo7 ====* use AttributeConsumingService/ServiceName to feed the logout interface* source code snapshots** [https://wwwrepo.niif.hu/gitweb/gitweb.cgi?p=java-shib-common.git;a=snapshot;h=3f7fa9509d8751787943a32817dab55b69736488;sf=tgz java-shib-common-1.1.aai4-slo2]** [https://repo.niif.hu/software software distribution sitegitweb/gitweb.cgi?p=java-idp.git;a=snapshot;h=88e7334e7fdc36454ef5c3bf1342bb402c08bdd4;sf=tgz java-idp-2.1.5-slo7] ==== v2.1.5-slo6 ====* skip session-indexing under error conditions* source code snapshots** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-shib-common.git;a=snapshot;h=3f7fa9509d8751787943a32817dab55b69736488;sf=tgz java-shib-common-1.1.4-slo2]** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-idp.git;a=snapshot;h=df79269261fc1fdd3ac99cf4aca2fa7fffd38e33;sf=tgz java-idp-2.1.5-slo6]
==== v2.1.5-slo5 ====
* fixed NullPointerException with non-existent or filtered NameIdentifiers
* fixed a flaw in Sessionsession-indexing logic, use the whole NameIdentifier as the index, not just the value
* source code snapshots
** [https://repo.niif.hu/gitweb/gitweb.cgi?p=java-shib-common.git;a=snapshot;h=3f7fa9509d8751787943a32817dab55b69736488;sf=tgz java-shib-common-1.1.4-slo2]
