- Version 3.0
- Basic enrollment flows: self-enrollment based on self-asserted attributes
- Provisioning to standard SCZ targets: local LDAP and SAML attribute database
- Generate service tokes
- Log in via SURFconext
- Log in via Google
- SAML services can be connected manually
- OIDC services can be connected manually
- CO-membership and group memberships are relayed to
- CO-based authorization for SAML services
- SAML and OIDC services are added manually
- COs are provisioned to separate o-trees
- people and groups are provisioned
- people get eduPerson, eduMember and posixAccount attributes with fixed (within a CO) ranges for uid and gid
- access control to ldap database is manual
- Working installation to local VMs (libvirt/qemu and virtualbox backends)
- Test environment deployed (internal SURF)
- Pilot environment deployed (public)
- Direct connection to SURFconext (nowfap deprecated)
- When logging in to a SAML SP that is connected to a CO, the CO information is not relayed properly. For example, the eduPersonScopedAffiliation will be
email@example.com (literally) instead of properly identifying the CO.
- When logging in to a SAML SP, the SP will receive IdP-attributes instead of only CO-owned attributes
- The consent screen does not remember the given consent (it promised to not ask the question again for 3 or 6 months). This is on purpose, to facilitate testing.
- Loading the discovery screen takes a long time (40-60 seconds), and during this loading time, not all IdPs can be selected, and your browser might ask for certificated to access a number of IdP logos.
- Access control for SPs is not enabled, so anyone with access to the platform (i.e., with a connected IdP) will be able to access all backend services. Users who are not a member of the CO that owns the service will not get CO-specific attributes though.
- Multivalued attributes are not relayed to OIDC clients.
- Only self-signup enrollment flows are supported.
- COmanage enrollment flows are fragile: missing a single setting in the enrollment config will mess everything up.
Component versions (see Software versions and pull requests for a more detailedoverview):
- COmanage: version 3.0 + upstream/hotfix-3.0.x plus fixes:
- SATOSA: version master-20180221 (f42cff6) plus fixes:
- fixes for OIDC
- add transparent (Dutch proxying) SAML endpoints for SPs
- microservice updates
- Pyff: version 0.10.0 + fixes:
- fix base64 padding in urls
- CMservice: version 2.0.2 plus fixes:
- fix upper/lower case issues for attribute names
- fix templating error