This page was formerly the “roadmap” for many years and has been renamed and kept for mainly historical reasons. The updated roadmap can be found in Project Roadmap .
This page is used to capture the "broad" picture of where the project spends its time and energe and some of the "big ticket" work items that have come up in the past that are either queued up, or have been parked for various reasons. This document does not provide deep technical details of the work going on in any particular software project but may link to such information when available.
...
The Dashboards for the IdP and SP products are somewhat organized and include access to a view of "Favorite filters", but you can also search for specific filters via https://issues.shibboleth.net/jira/secure/ManageFilters.jsp (just enter SP or IdP or whatever else into the search box). These are organized by version of course and should include versions beyond current releases to help track what is being worked on for future versions.
Ongoing
The following work items capture things that demand ongoing project time but do not represent "new" functionality or enhancements to code, processes, etc. They are documented for transparency in light of the significant resources they take.
Name | Description |
|---|---|
Project Overhead and Infrastructure | This is "keeping the lights on" for the Shibboleth projects. This includes attending teleconferences, face-to-face meetings, core list emails, etc. Also includes ongoing management of project infrastructure, and basic coordination among the team. |
Technical Support | Supporting deployers of the Shibboleth software through the Member-only support mechanisms or in response to mailing list questions from members. Non-member support is not subsidized and thus not accounted for as project time. This also includes some of the work we do to participate externally in standards or profile discussions, mostly in REFEDS at this point. Other standards work will typically involve more specific project deliverables that require the additional discussion or coordination. |
Native SP Maintenance | Maintaining the supported Service Provider product version(s). It includes bug fixes, testing, and release preparation and distribution, and also includes the maintenance of a half dozen dependent libraries. It does not include significant feature work at present. |
Embedded Discovery Service Maintenance | Maintaining the EDS, including bug fixes, testing, and release preparation and distribution. It does not include significant feature work at present. |
OpenSAML-Java Maintenance | Maintaining the Java OpenSAML library and supporting libraries. This includes bug fixes, testing, release preparation and distribution. |
IdP and IdP Plugin Maintenance | Maintaining the Identity Provider product core and released plugins. It includes bug fixes, testing, and release preparation and distribution. Major new feature work has largely moved out to plugin development. This notably includes basic maintenance and simple enhancements to the OIDC/OAuth support as well. |
Committed
These are projects and tasks that have staff time committed to them and are usually under active development.
Name | Expected Completion | Dependencies | Description |
|---|---|---|---|
Smaller OIDC/OAuth Enhancements | Ongoing | Additional features for the OIDC OP plugin, initially focused on use cases adjacent to OIDC specs, or adding optional OIDC material, and some enhancements to provide some additional OAuth functionality. See JOIDC project in Jira. Some enhancements may depend on member interest/demand. | |
SP Packaging Automation | Ongoing | AWS-based process for automating SP packaging, at least encompassing RPM platforms. This will conincide with changes to the packages we produce. The initial work is completed but work is ongoing to allow for CI in AWS. | |
FedCM | Probably through 2025 | The non-cynical take is that we are investing time in trying to work with Google on altering their plans for the browser so as to do as little harm to existing identity standards as possible. The cynical take is redacted (for now) to avoid guaranteeing they won’t listen to what we say. | |
Passwordless Features | Q4 2024 | This includes parallel work on both a Duo-centric and a native WebAuthn plugin solution, along with a bare bones UI. Future work will include a more full-featured UI that includes other requirements in addition to WebAuthn management. |
Planned
Planned projects are work accepted by the Consortium but which are not yet under development due to lack of resources or unmet preconditions. When committed work is complete the individuals working on the completed work will normally pick up a project from this list.
Name | Skills | Est. | Description |
|---|---|---|---|
Metadata Aggregator V1.0 | Java, XML, SAML | Initial product release of the framework and command line tool. Excludes previously intended Metadata Query Protocol functionality and in-depth documentation. Scope of work subject to input and time to develop final requirements by existing users. |
Under Discussion
These are projects which have been proposed but which the Consortium has not yet decided to work on. Most estimates here are highly speculative. These are generally "long haul" items that have been tabled for many years due to resource constraints and other priorities but have yet to be outright parked as rejected or infeasible.
Name | Skills | Est. | Description |
|---|---|---|---|
SP V4 Redesign | Java, C++ | 9PM | The SP is on an unsustainable path and needs to be replaced with a different software redesign that addresses sustainability challenges – see Service Provider V4 Redesign |
OIDC Federation | Java, OAuth/OIDC | 3PM | “Complete” support for the finished specs around OIDC Federation, primarily motivated by government projects at this point. |
Wallets / Verifiable Credentials | Java, VC specs | 6PM | Signs are pointing strongly toward, for better or worse, wallets and new protocols using them replacing SAML and OIDC in their current form at some point in the future, possibly the very near future (see also FedCM). |
Understanding Shib/SAML Documentation | Tech Writing, SME | 2PM | Developing a good set of documentation that explains SAML, Shibboleth, and Federations at a conceptual level. The intended audience for the documentation is those new to the subject matter. |
Enhanced Product Documentation | Tech Writing, SME | 3PM | Developing a good set of product documentation that explains features more thoroughly and contextually, with examples, and better how-to material that is task focused instead of reference oriented. |
Developer Documentation | SME | 3PM per product | Developing a good set of developer documentation for extension work on Shibboleth products. Documenting the SP and IdP would be separate items. |
Packaging / Installation / Deployment | Packaging, Containerization, Installer Tools | 2PM | This would span general installer improvements all the way to possible use of container technologies like Docker. Unclear if there's value in a general solution to that, but various groups have asked or have worked on things like this. Internet2 has stepped in to do this work with the TAP container. |
Expansion of IdP Integration Testing | Java, Installer Tools | 2PM | We need more extensive coverage of the installation processes and integration tests across different supported containers and platforms, to improve QA. |
IdP User Interface | Java, Javascript | There are various things that the IdP might expose a UI in order to manage, such as:
A GEANT project has been ongoing in 2023 to produce a form of this that we might eventually take over. This has potential for supplying at least a part of the missing UI needed to make Passwordless support more viable. | |
Java Service Provider | Java, SAML | 1PM | An analogue of the native, C++, SP written in Java. This has been requested for a long time due to the deficiencies so many other SAML implementations have had. It's been parked for a long time, and we had hoped to see good implementations emerge, but that hasn't happened. The work to redesign the SP would be expected to migrate much of the core function into Java, and the agent architecture under discussion is hoped to provide a path to producing new agents at much less cost to the project. The estimate of time is based on having a delivered SP redesign to work from. |
Office 365 Integration | Java, WS-Trust, OAuth | 3PM | Microsoft has made documents publically available describing fat-client integration with Office 365 via WS-Trust. They are offering technical contacts to faciitate this work. We have to determine viability and our willingness to adopt non-standard profiles without public change control procedures. This work seems of questionable value now given the SAML support across most of the applications and would probably take the form of OAuth support if we did anything. Realistically, Microsoft’s unwillingness to really support third party options make this a questionable proposition. |
IdP Configuration Tooling | Java, Javascript, UI design | From time to time people have requested some form of configuration tooling for the IdP. The suggestions range from command line tools, desktop UIs, and web-based UIs. In general it seems like the most often wish revolve around configuring:
The Unicon GUI is convering a lot of this space at the moment though in a highly abstracted/insulated way through the metadata boundary and the MetadataDrivenConfiguration work. | |
Security Audit/Review | C++, Java | Various open source projects have undertaken formal code audits or reviews for security issues, and this sometimes is raised as a pseudo-requirement for governmental usage. We have a lack of resources/expertise, and no explicit demand/requirement for this. It would also be costly in time. With the need to rewrite the SP, it doesn't make a lot of sense to audit that right now. | |
Gradle | Java | There are arguments to consider a migration from Maven to Gradle for the Java software build process. This is unlikely to result in any customer-facing benefits of course. |
Parked/Rejected
These are projects which were proposed but were found to be strategically unaligned, ill-defined, out of scope, or without sufficient interest from members. These items may be revisited from time to time as situations change. The list of course does not include many historical projects that have faded from public consciousness.
...