Apache CXF Fediz 1.1.0 Release Notes ------------------------------------ 1. Overview The 1.1.x versions of Apache CXF Fediz provide the following features: * WS-Federation 1.0/1.1/1.2 * SAML 1.1/2.0 Tokens * Custom token support * Publish WS-Federation Metadata document for RP and IDP * Role information encoded as AttributeStatement in SAML 1.1/2.0 tokens * Claims information provided by FederationPrincipal interface * Fediz IDP supports Resource and Requestor IDP role, Home Realm Discovery Service, ... * Support for Jetty, Tomcat, Websphere and Spring Security 2.0/3.1 2. Installation Prerequisites Before installing Apache CXF Fediz, make sure the following products, with the specified versions, are installed on your system: * Java 6 or 7 Development Kit * Apache Maven 3.x to build the samples 3. Installation Procedures Follow the Getting Started instructions at http://cxf.apache.org/fediz.html#Fediz-Gettingstarted for information on installing the Fediz IDP and IDP STS. 4. Building the Samples Building the samples included in the binary distribution is easy. Change to the examples directory and follow the build instructions in the README.txt file included with each sample. 5. Replacing provided keystores The sample keystores provided are fine for development and prototyping use but make sure to replace them for any production use, see see examples/samplekeys/HowToGenerateKeysREADME.html for key generation information. 6. Reporting Problems If you have any problems or want to send feedback of any kind, please e-mail the CXF user list, users@cxf.apache.org. You can also file issues in JIRA at: http://issues.apache.org/jira/browse/FEDIZ 7. Migration notes: N.A. 8. Specific issues, features, and improvements fixed in this version Release Notes - CXF-Fediz - Version 1.1.0 New Feature [FEDIZ-2] - Support encrypted tokens in plugin [FEDIZ-3] - Support the role "Resource IDP" in IDP [FEDIZ-4] - Support SAML token with Holder-Of-Key SubjectConfirmationMethod [FEDIZ-5] - Provide adapter for Jetty [FEDIZ-9] - Provide plugin for CXF [FEDIZ-36] - Http Form Based Login [FEDIZ-38] - Integrate Fediz Plugin with Spring Security framework (Pre-Authentication) [FEDIZ-39] - Spring Security Federation Authenticator [FEDIZ-52] - Support wauth parameter in initial request to RP [FEDIZ-53] - Browser can pass the home realm to the Fediz plugin [FEDIZ-58] - Support LDAP groups for Maven profile ldap [FEDIZ-59] - Support audit log in STS [FEDIZ-61] - Support for Websphere WAS 7 / 8 [FEDIZ-62] - Customize SignIn Query [FEDIZ-63] - Support PEM format for certificate store Bug [FEDIZ-40] - Can CXF Fediz IDP & RP work with SAML1.1 ? [FEDIZ-45] - Do not convert a SAML Attribute with an empty AttributeValue into a Role [FEDIZ-47] - OnBehalfOf Token does not expire in the IdP [FEDIZ-49] - Support using wfresh parameter in the IdP for TTL [FEDIZ-55] - Claims from LDAP can't be retrieved Improvement [FEDIZ-14] - Make the TokenReplayCache implementation configurable in the Fediz configuration [FEDIZ-31] - Fix example package structure [FEDIZ-37] - Dynamically assign ports for unit testing to avoid port conflict [FEDIZ-41] - Fediz IDP refactored with Spring Web Flow [FEDIZ-43] - No dependency on TCP port of IDP container in fedizidp.war [FEDIZ-44] - Rename IDP + STS wars to use hypens (fediz-idp + fediz-idp-sts) and update documentation [FEDIZ-48] - Support wfresh properly in the IdP [FEDIZ-54] - Provide Maven profile to build STS with LDAP backend [FEDIZ-64] - Add Callback support for the Realm (WTRealm) protocol property [FEDIZ-66] - Token expiration validation configurable [FEDIZ-67] - Use same Canonicalization Method for Signatures for Metadata document as for SAML tokens Wish [FEDIZ-15] - Support the publish of the WS-Federation Metadata document [FEDIZ-35] - Allow to use a custom CXF bus for IdpSTSClient Release Notes - CXF-Fediz - Version 1.0.3 Bug [FEDIZ-40] - Can CXF Fediz IDP & RP work with SAML1.1 ? [FEDIZ-45] - Do not convert a SAML Attribute with an empty AttributeValue into a Role [FEDIZ-49] - Support using wfresh parameter in the IdP for TTL Improvement [FEDIZ-14] - Make the TokenReplayCache implementation configurable in the Fediz configuration [FEDIZ-31] - Fix example package structure [FEDIZ-44] - Rename IDP + STS wars to use hypens (fediz-idp + fediz-idp-sts) and update documentation [FEDIZ-48] - Support wfresh properly in the IdP Task [FEDIZ-42] - Upgrade to use CXF 2.6.6 Wish [FEDIZ-35] - Allow to use a custom CXF bus for IdpSTSClient Release Notes - CXF-Fediz - Version 1.0.2 ** Bug * [FEDIZ-26] - SAMLTokenValidator throws a NPE when an Attribute of the Assertion does not have a NameFormat ** Improvement * [FEDIZ-18] - Make supported claims configurable in FileClaimsHandler * [FEDIZ-20] - IDP should maintain authentication state * [FEDIZ-17] - Current Fediz STS exposes SOAP 1.1 end point * [FEDIZ-25] - Look for fediz_config.xml in catalina base too ** New Feature * [FEDIZ-30] - Relying Party can enforce re-authentication using wfresh parameter * [FEDIZ-28] - Logout capability in IDP ** Task * [FEDIZ-29] - Migrate to CXF 2.6.3 ** Test Release Notes - CXF-Fediz - Version 1.0.1 ** Bug * [FEDIZ-24] - maximumClockSkew is not optional ** Improvement * [FEDIZ-22] - Improved support for other claims encoding in SAML attributes ** New Feature ** Task ** Test