| Apache CXF Fediz 1.2.2 Release Notes |
| ------------------------------------ |
| |
| 1. Overview |
| |
| The 1.2.x versions of Apache CXF Fediz provide the following features: |
| |
| * WS-Federation 1.0/1.1/1.2 |
| * SAML 1.1/2.0 Tokens |
| * Custom token support |
| * Publish WS-Federation Metadata document for RP and IDP |
| * Role information encoded as AttributeStatement in SAML 1.1/2.0 tokens |
| * Claims information provided by FederationPrincipal interface |
| * Fediz IDP supports Resource and Requestor IDP role, Home Realm Discovery Service, ... |
| * Support for Jetty, Tomcat, Websphere and Spring Security 2.0/3.1 |
| * Support for logout in the RP and IDP |
| * Support for logging on to the IdP via UsernamePassword, Kerberos and TLS |
| client authentication |
| * A container independent CXF plugin for WS-Federation |
| * A REST API for the IDP |
| * Support to use the IDP as an identity broker with a remote SAML SSO IDP |
| |
| |
| 2. Installation Prerequisites |
| |
| Before installing Apache CXF Fediz, make sure the following products, |
| with the specified versions, are installed on your system: |
| |
| * Java 6 or 7 Development Kit |
| * Apache Maven 3.x to build the samples |
| |
| 3. Installation Procedures |
| |
| Follow the Getting Started instructions at |
| http://cxf.apache.org/fediz.html#Fediz-Gettingstarted for information |
| on installing the Fediz IDP and IDP STS. |
| |
| 4. Building the Samples |
| |
| Building the samples included in the binary distribution is easy. Change to |
| the examples directory and follow the build instructions in the README.txt file |
| included with each sample. |
| |
| 5. Replacing provided keystores |
| |
| The sample keystores provided are fine for development and prototyping use |
| but make sure to replace them for any production use, see |
| see examples/samplekeys/HowToGenerateKeysREADME.html for key generation |
| information. |
| |
| 6. Reporting Problems |
| |
| If you have any problems or want to send feedback of any kind, please e-mail the |
| CXF user list, users@cxf.apache.org. You can also file issues in JIRA at: |
| |
| http://issues.apache.org/jira/browse/FEDIZ |
| |
| |
| 7. Migration notes: |
| |
| N.A. |
| |
| |
| 8. Specific issues, features, and improvements fixed in this version |
| |
| Release Notes - CXF-Fediz - Version 1.2.2 |
| |
| Sub-task |
| |
| [FEDIZ-106] - Spring plugin support for configurable token validation |
| [FEDIZ-107] - CXF plugin support for configurable token validation |
| [FEDIZ-108] - Jetty plugin support for configurable token validation |
| [FEDIZ-110] - Update Plugin Configuration Documentation |
| |
| Bug |
| |
| [FEDIZ-117] - Race condition in CXF plugin related to request restoration after redirect |
| [FEDIZ-125] - Logout is not working in Fediz websphere plugin and cookie name is not configurable |
| [FEDIZ-128] - Parent POM dependencies wrong in Websphere artifacts |
| [FEDIZ-129] - Default values in the schema are not actually used |
| [FEDIZ-139] - cxf-fediz plugin osgi export |
| [FEDIZ-140] - IDP caches outdated SAML Tokens |
| [FEDIZ-142] - TrustedIdpSAMLProtocolHandler.REQUIRE_KEYINFO does not work |
| [FEDIZ-146] - wtrealm should not be mandatory for 3rd party signin response |
| [FEDIZ-147] - IDP will be listed in HomeRealm Selection view, even if it should not be used directly |
| [FEDIZ-151] - Session Conflict with Cookies |
| |
| Improvement |
| |
| [FEDIZ-104] - Configurable (fediz_config.xml) token expiration validation |
| [FEDIZ-152] - Disable URL rewrites with SessionID to avoid session hijacking |
| |
| New Feature |
| |
| [FEDIZ-126] - Systests for websphere plugin |
| [FEDIZ-127] - Webshere example application doesn't fit to systemtests and is not buildable as ear file |
| [FEDIZ-144] - HomeRealm Discovery Service based on Spring EL |
| |
| Release Notes - CXF-Fediz - Version 1.2.1 |
| |
| Bug |
| |
| [FEDIZ-118] - Allow securing root context applications |
| |
| Improvement |
| |
| [FEDIZ-113] - Support SAML SSO Metadata in the IdP |
| [FEDIZ-120] - IDP Encoding of SignInResponse configurable |
| [FEDIZ-123] - Update certificates to 2048 bits |
| |
| Task |
| |
| [FEDIZ-114] - Remove X509TokenValidator and DefaultSubjectProvider in the STS |
| |
| |
| Release Notes - CXF-Fediz - Version 1.2.0 |
| |
| Sub-task |
| |
| [FEDIZ-105] - Websphere plugin support for configurable token validation |
| [FEDIZ-109] - Tomcat plugin support for configurable token validation |
| |
| Bug |
| |
| [FEDIZ-70] - Missing support for Web Services Policy 1.2 (http://schemas.xmlsoap.org/ws/2004/09/policy) |
| [FEDIZ-83] - wfreshparser incorrectly treats a freshness of 0 as negative |
| [FEDIZ-88] - wreply parameter must be optional |
| [FEDIZ-96] - Nullpointer exception if logout is called before login |
| [FEDIZ-97] - Plugin configuration property naming conflict with WebSphere 8.5 |
| [FEDIZ-99] - Wrong Address in PassiveRequestorEndpoint for ApplicationServiceType |
| [FEDIZ-100] - Wrong Value in EndpointReference for ApplicationServiceType |
| [FEDIZ-111] - NPE when ChainTrust is configured + no Subject is provided |
| [FEDIZ-112] - Race condition in tomcat plugin related to request restoration after redirect |
| |
| Improvement |
| |
| [FEDIZ-23] - Support different authentication mechanism |
| [FEDIZ-69] - Support starting IDP with jetty maven plugin |
| [FEDIZ-71] - Enable use of Apache CXF Fediz IDP with external third-party WS-Trust STS |
| [FEDIZ-72] - Make Trusted IDP protocol customizable |
| [FEDIZ-78] - Provide a configurable mechanism to load the DB initially |
| [FEDIZ-79] - Encoding of SignInResponse configurable |
| [FEDIZ-84] - Support wreq parameter in SP/IdP |
| [FEDIZ-93] - Provide correct fediz_config.xml to match with fedizhelloworld demo |
| [FEDIZ-94] - Provide correct fediz_config.xml to match with fedizhelloworld demo |
| [FEDIZ-95] - Moving Spring-Security configuration to central location |
| [FEDIZ-98] - Dynamic STS Realm Parser |
| [FEDIZ-101] - audienceUris as TargetScope in MetadataDocument |
| [FEDIZ-102] - Direct Logout at IDP with wsignoutcleanup1.0 action |
| |
| New Feature |
| |
| [FEDIZ-19] - Single Sign Out |
| [FEDIZ-27] - Support signout/cleanup message in Fediz plugin |
| [FEDIZ-46] - WS-FederationSupport for CXF JAX-RS |
| [FEDIZ-53] - Browser can pass the home realm to the Fediz plugin |
| [FEDIZ-65] - REST interface for IDP |
| [FEDIZ-73] - Support SAML-P protocol for Trusted IDP |
| [FEDIZ-77] - RBAC Support for REST Interface |
| [FEDIZ-89] - Kerberos/SPNEGO Authentication Support |
| [FEDIZ-90] - Identity Federation via Claim Mappings |
| |
| Task |
| |
| [FEDIZ-86] - Add support for Metadata to other plugins |
| |
| |
| Release Notes - CXF-Fediz - Version 1.1.2 |
| |
| Bug |
| |
| [FEDIZ-88] - wreply parameter must be optional |
| |
| New Feature |
| |
| [FEDIZ-89] - Kerberos/SPNEGO Authentication Support |
| [FEDIZ-90] - Identity Federation via Claim Mappings |
| |
| |
| Release Notes - CXF-Fediz - Version 1.1.1 |
| |
| Bug |
| |
| [FEDIZ-70] - Missing support for Web Services Policy 1.2 (http://schemas.xmlsoap.org/ws/2004/09/policy) |
| [FEDIZ-83] - wfreshparser incorrectly treats a freshness of 0 as negative |
| |
| Improvement |
| |
| [FEDIZ-79] - Encoding of SignInResponse configurable |
| [FEDIZ-84] - Support wreq parameter in SP/IdP |
| |
| |
| |
| Release Notes - CXF-Fediz - Version 1.1.0 |
| |
| New Feature |
| |
| [FEDIZ-2] - Support encrypted tokens in plugin |
| [FEDIZ-3] - Support the role "Resource IDP" in IDP |
| [FEDIZ-4] - Support SAML token with Holder-Of-Key SubjectConfirmationMethod |
| [FEDIZ-5] - Provide adapter for Jetty |
| [FEDIZ-9] - Provide plugin for CXF |
| [FEDIZ-36] - Http Form Based Login |
| [FEDIZ-38] - Integrate Fediz Plugin with Spring Security framework (Pre-Authentication) |
| [FEDIZ-39] - Spring Security Federation Authenticator |
| [FEDIZ-52] - Support wauth parameter in initial request to RP |
| [FEDIZ-53] - Browser can pass the home realm to the Fediz plugin |
| [FEDIZ-58] - Support LDAP groups for Maven profile ldap |
| [FEDIZ-59] - Support audit log in STS |
| [FEDIZ-61] - Support for Websphere WAS 7 / 8 |
| [FEDIZ-62] - Customize SignIn Query |
| [FEDIZ-63] - Support PEM format for certificate store |
| |
| Bug |
| |
| [FEDIZ-40] - Can CXF Fediz IDP & RP work with SAML1.1 ? |
| [FEDIZ-45] - Do not convert a SAML Attribute with an empty AttributeValue into a Role |
| [FEDIZ-47] - OnBehalfOf Token does not expire in the IdP |
| [FEDIZ-49] - Support using wfresh parameter in the IdP for TTL |
| [FEDIZ-55] - Claims from LDAP can't be retrieved |
| |
| Improvement |
| |
| [FEDIZ-14] - Make the TokenReplayCache implementation configurable in the Fediz configuration |
| [FEDIZ-31] - Fix example package structure |
| [FEDIZ-37] - Dynamically assign ports for unit testing to avoid port conflict |
| [FEDIZ-41] - Fediz IDP refactored with Spring Web Flow |
| [FEDIZ-43] - No dependency on TCP port of IDP container in fedizidp.war |
| [FEDIZ-44] - Rename IDP + STS wars to use hypens (fediz-idp + fediz-idp-sts) and update documentation |
| [FEDIZ-48] - Support wfresh properly in the IdP |
| [FEDIZ-54] - Provide Maven profile to build STS with LDAP backend |
| [FEDIZ-64] - Add Callback support for the Realm (WTRealm) protocol property |
| [FEDIZ-66] - Token expiration validation configurable |
| [FEDIZ-67] - Use same Canonicalization Method for Signatures for Metadata document as for SAML tokens |
| |
| Wish |
| |
| [FEDIZ-15] - Support the publish of the WS-Federation Metadata document |
| [FEDIZ-35] - Allow to use a custom CXF bus for IdpSTSClient |
| |
| |
| |
| |
| Release Notes - CXF-Fediz - Version 1.0.3 |
| |
| Bug |
| |
| [FEDIZ-40] - Can CXF Fediz IDP & RP work with SAML1.1 ? |
| [FEDIZ-45] - Do not convert a SAML Attribute with an empty AttributeValue into a Role |
| [FEDIZ-49] - Support using wfresh parameter in the IdP for TTL |
| |
| Improvement |
| |
| [FEDIZ-14] - Make the TokenReplayCache implementation configurable in the Fediz configuration |
| [FEDIZ-31] - Fix example package structure |
| [FEDIZ-44] - Rename IDP + STS wars to use hypens (fediz-idp + fediz-idp-sts) and update documentation |
| [FEDIZ-48] - Support wfresh properly in the IdP |
| |
| Task |
| |
| [FEDIZ-42] - Upgrade to use CXF 2.6.6 |
| |
| Wish |
| |
| [FEDIZ-35] - Allow to use a custom CXF bus for IdpSTSClient |
| |
| Release Notes - CXF-Fediz - Version 1.0.2 |
| |
| ** Bug |
| * [FEDIZ-26] - SAMLTokenValidator throws a NPE when an Attribute of the Assertion does not have a NameFormat |
| |
| ** Improvement |
| * [FEDIZ-18] - Make supported claims configurable in FileClaimsHandler |
| * [FEDIZ-20] - IDP should maintain authentication state |
| * [FEDIZ-17] - Current Fediz STS exposes SOAP 1.1 end point |
| * [FEDIZ-25] - Look for fediz_config.xml in catalina base too |
| |
| ** New Feature |
| * [FEDIZ-30] - Relying Party can enforce re-authentication using wfresh parameter |
| * [FEDIZ-28] - Logout capability in IDP |
| |
| ** Task |
| * [FEDIZ-29] - Migrate to CXF 2.6.3 |
| |
| ** Test |
| |
| |
| Release Notes - CXF-Fediz - Version 1.0.1 |
| |
| ** Bug |
| * [FEDIZ-24] - maximumClockSkew is not optional |
| |
| ** Improvement |
| * [FEDIZ-22] - Improved support for other claims encoding in SAML attributes |
| |
| ** New Feature |
| |
| ** Task |
| |
| ** Test |
| |
| |
