Thu, Jul 28, 2005
With the release of Guanxi 1.2.4 this marks a stable state on which to build further enhancements. It was going to be 1.2.3 but then I noticed a bug, gasp! that was affecting attribute release but that’s fixed now.
The current situation is thus:
PluginsGuanxi::IdP has two authentication and attribute plugins, one for LDAP and one for the Bodington VLE, so you can either run the IdP standalone or embedded within the Bodington VLE. Guanxifying Bod doesn’t affect the Bod codebase so it’s pretty easy to do and it gives you an authentication and attribute store out of the box
Trust frameworkGuanxi::IdP creates it’s own self-signed certificate and keystore and exports it as a Shibboleth compatible cert which you can copy/paste into your standard Shibboleth SP IQ-trust.xml
WAYFGuanxi::WAYF is stable and is being used at UHI to handle our resource access
TestingWe’ve successfully tested Guanxi::IdP with the new Athens Shibboleth Gateway and also with the SDSS federation. It’s also been extensively tested against the standard Shibboleth 1.2.1 C++ Service Provider
So what’s the immediate future of Guanxi?
Guanxi::SPThe next release should include the upcoming Guanxi Service Provider. This is a web service enabled, distributed Java implementation and uses SAML2 Metadata internally. Now that the IdP is ready to rock ‘n roll I should get more time to work on the SP.
SAMUELI’ve neglected SAMUEL recently as it’s been stable for ages and it just sits in the background doing it’s job. It’s time I added Javadocs to it though, as it is a toolkit after all!
Guanxi::IdPAt the moment, the IdP releases unqualified attributes, i.e. it doesn’t release e.g. urn:mace:dir:attribute-def:eduPersonPrincipalName, rather, it releases eduPersonPrincipalName. So attribute qualification is on the cards. Of course, mace-dir have taken over some standard LDAP attributes, which can be mace-dir qualified but what to do about the rest?
Guanxi::WAYFPlanning on implementing IP address matching so you won’t see the WAYF if your IP address is available and is mapped to a range that points to an IdP
Online configurationThe WAYF,IdP and SP will all benefit from online configuration, rather than endlessly editing XML files on the server so I’ve started work on a generic XSLT driven module that will allow users to configure their Guanxi online
PubcookieI’ve been asked to see if Guanxi::IdP can handle Pubcookie - so I will.
SSOI’ve also been asked for an enhanced IdP into which you can login. This lets you login to the IdP once and access resources without having to login each time. You can already do this if you’re using the embedded Guanxi in Bodington but SSO enabling the IdP will let the standalone version join in the fun
LogoutIt’s easy to access a Shibboleth protected resource using Guanxi but what if you want to change your IdP? You have to logout. So another enhancement coming is logout functionality for the IdP/SP
So there’s tons to do with the immediate goal being to get the first version of the SP out the door. The web services flow is complete and at the moment I’m battling with extending the SAML2 Metadata schema to provide a RoleDescriptor which is tailored to the Guanxi::SP::Guard
Watch this space!