forked from idp-installer-manager/idp-installer-global
-
Notifications
You must be signed in to change notification settings - Fork 4
/
RELEASE-NOTES.CAF
127 lines (90 loc) · 6.5 KB
/
RELEASE-NOTES.CAF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
Release Notes
Overview
Please see README.md for overview, key functions and related software dependancies.
This tool benefits from, and relies on you being online and connected to your environment to fetch the latest
from your repository for your OS as well as the necessary certificates.
Branch Details
3.0.0-CAF-RC5
Commit notes:
- Latest Shibboleth IdP (3.2.1) is installed and leverages newer saml-nameid settings for persistent and transient id.
- Numerous files removed from legacy installation of v2 style installation
- Consent in the IdP is enabled by default
Version compatibility:
This tool is an installer tool and usually only used once to perform an installation.
To this end, we recommend for all scenarios to:
- make a clone of your environment you are trying to work with and use that as your testing ground
- use the latest version of this tool when doing installations.
If you installed with the 2.x.x-CAF, 3.x.x-CAF-RCx, or standalone Shibboleth 2.x release:
- This installer will not upgrade an inplace installation of that install and is something we are working on.
- We recommend a new installation and import your configuration file into the configuration builder
so that you may benefit from the additional features.
If you have a pre-existing Shibboleth 3.x.x installation:
- We recommend working with the latest Shibboleth software itself rather than the installer.
- It will detect the existing configuration and provide an attempt at an upgrade.
Known Issues
Documentation that is embedded in this build is for the v2 of the installer and has incorrect testing URLs
and incorrect instructions for certificate management.
Please see the V3 Installer FAQ: https://tts.canarie.ca/otrs/public.pl?Action=PublicFAQExplorer;CategoryID=17
Please report IdP-Installer related issues to:
2.1.0-CAF
Commit notes:
- This version is now managed by branching in github rather than tagging
- Updated Shibboleth IdP to v2.4.3 software to respond to 2.4.0 vulnerability(Xalan/Xerces risk CVE2013-4002)
- Integrated external security fix for SSLv3/Poodle CVE2014-3566
New Features for the installation process:
- Added ability to do 'Preflight check' to installation to assist in rapid diagnosis of common connectivity issues
- Added additional user feedback by redirecting yum output to user
- Ability to do headless install by setting 'installer_interactive=n' which will automatically generate needed passwords
(see: https://github.com/canariecaf/idp-installer-CAF/issues/22 for further details of behaviour)
New Features for post install operations of the components:
- added the ability to have the Shibboleth IdP use CAS for authentication with a v3.3.3 CAS client jar.
Version compatibility:
This tool is an installer tool and usually only used once to perform an installation.
To this end, we recommend using the latest version of this tool when doing installations.
If you installed with the 2.0.0-CAF release:
The 2.0.0-CAF release installs the Shibboleth IdP v2.4.0.
To be current on security fixes on v2.4.0, you need to either apply these fixes to your IdP:
-for CVE2013-4002: http://shibboleth.net/community/advisories/secadv_20141103.txt
-for CVE2014-3566: https://tts.canarie.ca/otrs/public.pl?Action=PublicFAQZoom;ItemID=33
OR
- Re-install with this version of the tool to use the v2.4.3 IdP on a clean VM with your existing config file
- Migrate the tomcat and shibboleth keystores for webserver and IdP certificates respectively
- Regenerate any changes to the look and feel of the IdP
Known Issues
Build is designed for Active Directory installation via LDAP and depends on 'sAMAccountName' in various places.
Workaround:
Pure LDAP installation *IS* possible but must happen over LDAPS (636) by just entering your LDAP server.
Post installation, replace sAMAccountName wherver it occurs in /opt/shibboleth-idp/conf/ with 'uid' to match your LDAP schema for both attribute-resolver.xml and login.xml
Build is intended for CentOS6.5 and NOT CentOS7
Workaround:
Use the CentOS6.5 Minimal iso distribution for your OS. This is the only platform CAF can support for the tool.
The tool MAY run on ubuntu but is NOT a supported installation environment CAF. This is to say that it may not behave as expected at this time & require hand edits around java support for installation.
Release History
Tag Details
2.0.0-CAF General Release
Commit notes:
Fixed: Removed dependancy on EPEL repositories to prevent installation problem with tomcat & mysql
Known Issues
Build is designed for Active Directory installation via LDAP and depends on 'sAMAccountName' in various places.
Workaround:
Pure LDAP installation *IS* possible but must happen over LDAPS (636) by just entering your LDAP server.
Post installation, replace sAMAccountName wherver it occurs in /opt/shibboleth-idp/conf/ with 'uid' to match your LDAP schema for both attribute-resolver.xml and login.xml
Build is intended for CentOS6.5 and NOT CentOS7
Workaround:
Use the CentOS6.5 Minimal iso distribution for your OS. This is the only platform CAF can support for the tool.
The tool MAY run on ubuntu but is NOT a supported installation environment CAF. This is to say that it may not behave as expected at this time & require hand edits around java support for installation.
2.0.0-CAFbeta3 Release candidate 3
Commit notes:
Updated settings use Mysql J Connector of v5.1.32 instead of 5.1.29
Improved handling of JAVA_HOME to prevent java version collisions
Tip: remember to log out and back in again to get latest version of java you just updated
Merged fix for sAMAccountName issues from beta2 into native build. No longer need manual intervention to properly resolve attributes for Active Directory.
CAF Inter-federation feed is now available by default.
IdP installers/operators still need to email [email protected] to request their IdP to be present in eduGAIN (which is only extra elements added to metadata, no technical steps required)
CAF SHA256 feed is now the default CAF metadata aggregate
2.0.0-CAFbeta2 Updated settings to pull Mysql Connection of v5.1.29 instead of 5.1.27 due to broken link to download
2.0.0-CAFbeta1 Documentation updated and draft watermark removed, no code changes
2.0.0-CAFbeta Initial CAF release
- contains eduroam and Shibboleth functionality
- initial draft documentation