The following features can be enabled after we upgrade the Shibboleth IdP software on weblogin idpz servers to V4 (Currently it is V3).
- Native OpenID Connect Support
The OpenID Connect plug-in for Shibboleth IdP is implemented by a third party. The source code has been moved to Shibboleth IdP repository. It is officially supported by Shibboleth IdP V4 and will become a built-in protocol for Shibboleth IdP V5. More information can be found on https://wiki.shibboleth.net/confluence/display/IDP4/OIDCConfiguration. - CSRF Protection
The CSRF protection is controlled by a parameter in IdP’s property file. When this is turned on, all the user faced views of weblogin service will be protected. There will be a CSRF token on each view and any submissions back to the IdP will require an anti-CSRF token. More information can be found on https://wiki.shibboleth.net/confluence/display/IDP4/Cross-Site+Request+Forgery+%28CSRF%29+Protection. - Access Control Based on User’s Information
This feature is to impose authorization rules at the IdP to work around the limitations of a service that either does not implement any authorization or does not provide an adequate user experience in the event of failure. For example, IdP can allow only staff/faculty members to access a particular service provider. More information can be found on https://wiki.shibboleth.net/confluence/display/IDP4/ContextCheckInterceptConfiguration.