# zxid/Changes
# $Id: Changes,v 1.39 2010-01-08 02:10:09 sampo Exp $
# Change log, minor credits, and release history
Usual suspects: zxid.user@lists.unh.edu
To do:
- Add Trust and Privacy Negotiation capability to discovery
- Wishlist of built-in attributes
1. HTTP method (GET, POST, HEAD, etc.)
2. Full URL including the hostname part (currently only local URL is passed)
3. Indication of which virtual server
4. If SOAP, the name of the first direct child element of the SOAP Body
5. Any SOAP Action header, from SOAP message or from HTTP header.
- (Local) logout should either return to referer, or to configurable page
- Depend logging validate, az response, emit logging decorate, azreq
- Static linking, dynamic linking libzxid
- Brian's ordering problem (risaris-bad.xml)
- IdP initiated SLO
- IdP should include URL for correcting information
- Add persona support to IdP
- Add attribute editor support to IdP
Regarding mod_perl stability: I would assume most of that has to do
with underlying memory allocator. All allocation activity in zxid code
goes through zx_alloc() (in zxlib.c:55). The ctx->malloc_func function
pointer is not currently used. I should fix zx_alloc() to use it.
Anyway, all this is in place to ensure that you could replace malloc()
with an alternative allocator, such as Apache pool allocator.
In playing with allocators, important caveat: OpenSSL has similar
vectorable allocator. You should use same allocator for OpenSSL and
ZXID (and perl). libcurl documentation is not entirely clear regarding
its allocator usage, but I assume it uses malloc() so that would be
yet another worry.
https://idp.testshib.org/idp/shibboleth
Google Apps Integration
http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html
Here are example docs for SimpleSAMLPHP, or Shibboleth:
* http://simplesamlphp.org/docs/1.5/simplesamlphp-googleapps
* https://shibboleth.usc.edu/docs/google-apps/
- zxcall should have sso only mode
- zxcall should have discovery only mode and iteration option
- zxcall should have EPR cache and session listing mode -s SID -l
- zxcot should have idpdimd listing mode
- zxpasswd should have user federation listing mode
- zxid_pw_authn() should not report scary error message when
checking .ykspent in not spent case
- ID Mapper to be used by Delegation Service
- zxid_select_tgt()
- Each credential as its own a7n
- X509 attr certs
- Use post screen as confirmation screen
- If generic XML content is seen as attribute value, it should be reserialized as safe_base64 so it can be returned to app layer as attribute (e.g. via LDIF).
zxid-0.63:: 29.7.2010
NOTPUB
- Added mandatory attribute contactType to Contact element in metadata
- Supply AuthnInstant
- Removed sed(1) dependency
- Improved win32cl target
- Added SubjectConfirmation
- Added possibility of using nested EncryptedKey (Shib 2010) instead of RetrievalMethod
- Added Recipient hint in sibling EncryptedKey case. This is sufficient to get Shib 2010 working.
- Added SubjectConfirmationData fields to support bearer subject confirmation method
- Added RelayState field decoding to POST profile
- Added double quote detection inside RelayState value
- Store authentication instant in session and use it in zxid_mk_an_stmt()
- Reworked/created az_base() family of functions to incorporate ideas from patch by Stijn Lievens
- Make nested EncryptedKey a config option
- Added support for fedusername and urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (aka eduPersonPrincipalName)
- Tweaked the az requests to separate ses az from resource az (TAS3 bug #381)
zxid-0.62:: 1.7.2010
- Fix IdP authentication template (runaway HTML comment)
zxid-0.61:: 25.6.2010
- Fixed a crash in case NOSIG_FATAL and indeed no sig
zxid-0.60:: 23.6.2010
- TAS3 package version number synchronization
zxid-0.59:: 22.6.2010
- Added zxcot -m to generate our own metadata (previously only available using WKL method)
- Fixed segv on signature validation when wsc_meta is missing, but NOSIG_FATAL=0
- Improved zxidcot.pl with metadata and registration listings
- Tightened cgi parsing to check lengths of options (avoids false detection)
- Add Az calls to zxid_wsp_validate() and zxid_wsp_decorate()
zxid-0.58:: 25.5.2010
- Make add-envelope processing more tolerant of different namespaces
- Added SOAP fault and tas3:Status
- Improved XML parse error formatting
- Fixed seg fault in zxid_wsc_prepare() in case the EPR lacks Metadata
- Do proper signature validation in zxid_wsp_validate() and zxid_wsc_validate_resp_env()
- Do proper timestamp check in zxid_wsp_validate() and zxid_wsc_validate_resp_env()
- Added RelatesTo correlation check in zxid_wsc_validate_resp_env()
- Added concept of current fault and current tas3 status
- Added accessor functions for faults and tas3 status
- Added local PDP call to all 4 web service call control points
- Added remote PDP call to all 4 web service call control points
zxid-0.57:: 18.5.2010
- Introduced .jar and .war as std binary distribution items
- Check for empty PDP_URL and disable Az in that case
- Added to session localpath, tgtpath, sespath so that application layer can uses ZXID storage for its own purposes.
- Fixed SSO failure case
- Added to session sigres and ssores.
- Added SP local attribute authority, see zxid_ses_to_pool()
- Added local EPR feature to SP local attribute authority, i.e. upon
SSO local EPRs get copied to the new session's EPR cache
zxid-0.56:: 14.5.2010
- Re-tested Windows compile
zxid-0.55:: 26.4.2010
- Fixes in zxididp code
zxid-0.54:: 22.4.2010
- Add ability to absorb multiple EntityDescriptor elements from EntitiesDescriptor, as often happens in Shibboleth federations
- Fixed an infinite loop in zxcot -n -a
- Removed from zxid.h unused functions zxid_idp_soap_dispatch(), zxid_idp_soap_parse(), zxid_sha1_file(). Reported by Eric Rybski
zxid-0.53:: 23.3.2010
- Fixed case where last item (null return) of cached multi discovery would trigger yet another discovery
- Added logging of the issued discovery messages
- Feature improvements to zxidappdemo.java
- Added ENA_PG and coverage targets to the Makefile (current coverage 47%)
- Process session in validate
- Added more Shibboleth metadata extensions. I claim Shibboleth metadata parses w/o warnings.
- Added SAML idp-discovery extention to metadata
- Changed templating system for IdP an page (other pages may be changed later to use the same)
- Added zxidnewuser.pl and other IdP mangement web GUI scripts
- Added zxid_wsc_prepare_call() and zxid_wsc_valid_resp() APIs, see zxidwscprepdemo.java for usage
zxid-0.52:: 15.2.2010
- Log session create and destroy
- Relax error checking in SLO: missing NameID ok if sesix supplied
- Better session populate in zxid_wsp_validate()
- Fixed virtual host (URL autodetect) code in zxidwspdemo.java
zxid-0.51:: 15.2.2010
- LOAD_COT_CACHE=file feature. The cache is concatenation of the metadata of CoT
- Change zxid_az() to return string containing XACML obligations
- Eliminate UI clutter: show_tech config flag with default off
- Thread safety: cf->ipport, key loading, cf->curl, cf->cot
- Thread safety: decoding contexts
zxid-0.50:: 9.2.2010
- Fixed missing prefix in case of unknown tag/namespace
- Fixed ordering of unknown tags
- Added beginnings of a test suite, see zxtest.pl
- Added WSP tool: zxidwspcgi
zxid-0.49:: 1.2.2010
- Added AuthnSvc client and zxcall tool, which allows shellscript wsc
- The zxcall tool also allows shell script az
- Removed arbitrary 64KB limits from metadata, SOAP, and EPR processing. Now dynamically reallocated as needed.
- Added zxid_ses_to_{ldif|json|qs}() family of functions
- Added zxid_add_attr_to_ses() and zxid_add_qs_to_ses()
zxid-0.48:: 18.1.2010
- Fixed reversed WO rendering of parsed unknown elements
- Definititve path sanity fix for zxcot -bs
- Fixed ses check in case of no ses in zxid_cache_epr()
- Fixed iterations other than n==1 in zxid_get_epr()
- Added in zxiddi ability to compare ProviderID to EPR Address
zxid-0.47:: 14.1.2010
- Refactored zxcot to support -bs
- Fixed recursive bootstrap infinite recursion and defined policy re recursive bootstrap level
zxid-0.46:: 13.1.2010
- Moved project under git at zxidrepo, still learning.
- Fixed nameid memory allocation problem
- Added missing Java files to manifest
zxid-0.45:: 7.1.2010
- Fixed error handling when unable to decrypt an assertion
- Fixed mod_auth_saml redirect_to_content when no relay state
- Do proper signing in zxid_wsf_call() and zxid_wsp_decorate()
zxid-0.44:: 16.12.2009
- Fixed transient always on bug
- Fixed memory free bug in case where defederation is not supported
zxid-0.43:: 29.11.2009
- Fix PHP support for zxid_wsp_validate() and zxid_wsp_decorate()
- Renamed hexdec to zx_hexdec to avoid risking conflicts
zxid-0.42:: 22.11.2009
- Added service file name computator: zxcot -n -b <epr.xml
- Expose assertion path
- zxid_call() reengineering
- Added support for urn:mace:shibboleth:metadata:1.0
- Added support for TAS3 Credentials and Simple Obligations Language (SOL)
- Added zxid_wsp_validate() and zxid_wsp_decorate()
- zxidhrxmlwsc and zxidhrxmlwsp tested to work
zxid-0.41:: 20.11.2009
- Yubikey support in zxiduser.c and zxpasswd
- config dump screen (o=d)
- OpenSSL_add_all_algorithms() fix from Stefan @ Koblenz
- di_Query support
- ID-WSF 2.0 AuthnSvc support
- Bootstrap support, improved
- SAML2 IdP support with attributes and bootstraps
- zxid-idp.pd documentation
- Added 403 Denied error response to SSO servlet (zxidsrvlet.java)
- Various bug fixes to zxididp and zxidjava
- First winbin release in long time (zxid-0.41-win32-bin.zip)
zxid-0.40:: 14.11.2009
- Shib2 interop testing
- XACML cd1 support (sending policies in request)
- Populate both OID and FriendlyName variants of attributes from assertion
- Extensively tested java servlet configuration with zxidjni.az()
- Greatly improved zxid-java.pd documentation
- Fixed and tested mod_php configuration with zxid_az()
- Fixed and tested mod_perl configuration with Net::SAML::az()
- Retested mod_auth_saml
zxid-0.39:: 5.11.2009
- Added zxidsrvlet and zxidappdemo
zxid-0.38:: 16.10.2009
- Added better integrated zxidsrvlet
zxid-0.36:: 14.10.2009
- Added building war files (from Brian Reynolds <leitrim_94@yahoo.com>)
- Removed duplicate cn from Auto-Cert generated self signed certs and CSRs
- Fixed gcc 4.2 specific compile problem re cast as lvalue (thanks Brian)
zxid-0.35:: 11.10.2009
- fixed Solaris compile problems
zxid-0.34:: 17.9.2009
- Added TAS3 package targets for Java and PHP
zxid-0.33:: 9.9.2009
- Removed Apache check from default make
- Continued refactoring README.zxid to separate documents
- Changed configuration file reading so that config file is (re)read
whenever PATH is supplied, but not if PATH is supplied in file itself.
- Added dummy PDP
- Added zxcot tool
- Fixed zxdecode tool and added html parsing support
- Added xml-pretty.pl tool
- Added Auto-Cert feature to generate self signed certificates on the fly
- Added optional HMAC chaning code to the log format (but not implementation)
- Added attribute broker and PEP features
- Fixed relay state handling in mod_auth_saml so you land on right protected content page
- Added support for zxid_simple() returing JSON or Query String in addition to traditional LDIF
- Added preliminary and incomplete CARML support (see Identity Governance Framework - IGF)
- Fixed innumerous bugs in mod_auth_saml
- Added setting REMOTE_USER to mod_auth_saml
zxid-0.32:: 25.3.2009
- Fixed Java compile
zxid-0.31:: 15.11.2008
- Fixed validation of signatures in redirect binding
- Added logging of relied upon information in redirect binding
- Fixed memory leak in SLO and MNI
- Refactored dispatch functions so CGI and others use same code
- Fixed redirect binding signature validation
zxid-0.30:: 28.9.2008
- Fixed some type warnings
- Fixed core dump in mod_auth_saml without query string
- Fixed redirect hack to cope with the query string
zxid-0.29:: 24.9.2008
- Fixed bug in redirect hack
- Added ANON_OK
- Added REQUIRED_AUTHNCTX
- Added IDP_SEL_PAGE
- Debugged and tested the mod_auth_saml Real World Example
zxid-0.28:: 18.9.2008
- Fixed some Apache documentation issues
- Added redirect hack to allow mapping imposed URLs to ZXID native URLs)
zxid-0.27:: 17.9.2008
- Added BSDmakefile hack, suggested by Slaven Rezic (slaven at rezic.de)
- Added NON_STANDARD_ENTITYID option
- Added precheck to quickly check main compliation and linking problems
zxid-0.26:: 9.5.2008
- Fixed Auto-CoT bug due to form field name conflict
- Added missing .java files to Manifest
zxid-0.25:: 17.4.2008
- Added support for SAML POST-SimpleSign binding
- Added preliminary draft support for Orange Personal APIs
- Added default-cot - ship metadata for some IdPs
- Updated documentation about joining OpenLiberty.org
zxid-0.24:: 22.2.2008
- Added mod_auth_saml
- Many fixes from testing against commercial products
zxid-0.23:: 12.10.2007
- Support MNI to change NameID
- Support EncryptedID on outbound traffic (MNI, SLO)
zxid-0.22:: 10.10.2007
- Added log levels 1 and 2
- Added @Destination handling
- Ensured preservation of whitespace in XML parsing and exc-xml-canon
- Fixed alphabetization of attributes in exc-xml-canon
- Added signing ArtifactResolve, LogoutRequest, and ManageNameIDRequest over SOAP
- Improved handling of empty ns prefix for XML attributes
- Print source IP to logs
zxid-0.21:: 8.10.2007
- Fixed missing Content-type header, reported by Damien Laniel <dlaniel@@entrouvert_com>
- Segregated prototypes that use va_list to zxidnoswig.h to avoid problem on Redhat
- Created cygwin target
- Changed the USE_LOCK handling to allow dummy on cygwin
- Fixed MGMT auto flag
- Fixed handling of InclusiveNamespaces/@PrefixList
zxid-0.20:: 1.10.2007
- EncryptedAssertion, EncryptedAttribute, and EncryptedID support
- Fixed signing of redirect URLs
- Fixed indigestion over processing instructions and comments
- Fixed encoding of attribute namespaces
- Added xs and xsi namespaces
- Fixed lookup of attribute tokens without namespace (mismatching id symptom)
zxid-0.19:: 11.8.2007
- fixed php support
- bug and documentation fixes
zxid-0.18:: 17.7.2007
- Added HR-XML WSC and WSP support
- Much stabilization of ID-WSF code
zxid-0.17:: 6.3.2007
- bug fixes
zxid-0.16:: 4.3.2007
- Added ID-DAP support
- Added ID-MM7 support
- Added Contact Book support
- Added Geo Location support
- Added People Service support
- Added ID Mapping support
- Added Authentication Service support
- Added DST and Subscriptions support
- Added XACML2 support
- Added WS-Trust 1.3 support
zxid-0.15:: 22.2.2007
- JAVAC_FLAGS tweak to avoid insufficient heap from Sean Doyle
- Fixed zxid_fed_mgmt_cf() unimplemented warning
- Documented fix for __init_array_start linking problem
- Annotated sources with call graph information, added call-anal.pl
zxid-0.14:: 21.2.2007
- zxidhlo.java and Tomcat example perfected
zxid-0.13:: 20.2.2007
- Java interface cleanup
- Mac compile fixes
- minor bug fixes
zxid-0.12:: 10.2.2007
- WSF bootstrap handling
- rework of session system
- bug fixes
zxid-0.11:: 1.2.2007
- MinGW DLL fixes
zxid-0.10:: 31.1.2007
- MinGW DLL production works
zxid-0.9:: 26.1.2007
- fixed compilation
- preliminary Windows support using MinGW
zxid-0.8:: 1.12.2006
- Improved signature checking
- New logging infrastructure, document logging
- Support config files, document the format
zxid-0.7:: 25.9.2006
- WO encoding with namespace support
- First cut of XMLDSIG validation (very early signing, too)
- Fixes to PHP, mod_php, Perl, and mod_perl support
zxid-0.6:: 18.9.2006
- PHP support, including mod_php
zxid-0.5:: 15.9.2006
- Encoders and decoders for ID-WSF and ID-FF (various versions)
zxid-0.4:: 4.9.2006
- mod_perl/Net::SAML SP
zxid-0.3:: Late Ago 2005
- First fully functional release
zxid-0.2:: Ago 2005
- SAML 2.0 encoders and decoders, metadata import works
zxid-0.1:: Ago 2005
- Project founded.
# EOF