Shibboleth Developer's Meeting, June 28, 2012

Attendees: Rod Widdowson, Ian Young, Scott Cantor, Jim Fox, Tom Zeller, Paul Hethmon, Nate Klingenstien, Daniel Fisher

Agenda

Infrastructure Update

Currently Migrated

• LDAP, IdP, Nexus
• nexus on new hostname

Weekend Outage Post-mortem

• IdP and SVN became inaccessible
  • Problem was bad OpenLDAP ACL

• MX records disappeared
  • bug in GoDaddy UI triggered by adding A records and adjusting TTL of MX records

Upcoming Migrations

• IdP to new hostname
  • all set up and metadata changed - just using a temp file for our SPs at the moment
  • just waiting for A record change

• Website
  • Everything copied over and deployment script working
  • Just waiting for A record change

• Mailing list
  • prelim work has been done
  • just need to adjust mail configuration
  • waiting to hear back from Scott L (Uni Edinburgh mail manager)
  • need to think about anti-span setup - probably need to do this

• Confluence
  • alternative 1: move things as is and upgrade to 3.5
  • alternative 2: upgrade to 4.1 - requires transitioning through some intermediate version
  • looks like alternative 2 should work, we'll try that and check in in two weeks
  • we're about at the EOL of 3.x release cycle
  • 4.1 editor isn't nearly as bad as we feared
  • new markup is based on xhtml - should help if we ever need to move off

• Jira
  • way behind on upgrades
  • Jim may have plugin for latest Jira

OpenSAML Update

• Brent on holiday until July 10th
• Working on new SAML encoders and decoders
• Basic functionality is complete
• Some additional refactoring to make full use of the new APIs remains
• Need to determine remaining set of work

IdP Update

v2.3.7

• completed and staged
• Rod generating MSI tomorrow or Saturday
• Will be announced on Monday

Async SLO

• SLO protocol extension that indicates the IdP doesn't need to respond to the SP
• Guarantees the IdP owns the UI and provides more freedom in processing the SLO request
• Work started in OASIS, should have a draft spec by next SSTC meeting in two weeks
• Extension for IdP v2 to that only destroys the IdP session
  • see how much work it would be to fire off back-channel request

v3

• Chad: hashing through authentication APIs, main focus on method selection
• Tom: getting up to speed on web flow
• Tom: working on project module that will generate the IdP WAR file

SP Update

Work Left on 2.5

• Work is mostly complete and people have been testing the installer
• Installer seems to be in good shape - updating seems to work as well
  • no upgrade support from existing SPs - will just require an uninstall and new install
  • we think we can release patches for dependencies as well (e.g., openssl)

• Option Items:
  • Async SLO support
  • Something in the metadata generator to populate algorithm strings
    • existing runtime algo selection support in the SP should make this relatively easy
  • Close out some existing bugs after more testing

• Release
  • another beta in two weeks
  • need to release update of Santaurio library
  • final release at end of July

Red Hat 5 is going to be supported until 2017: implications?

...

• some libraries are already really old and contain bugs (e.g., libcurl DNS caching bug)
• Scott uncomfortable depending on these older libs - we have ability to override libs with new releases
• SP 2.5 might use new libs - Scott will raise this on the dev list

Project Roadmap

Additional items

• nexus PGP signature checking plugin
• Jira remote user authentication plugin
• Tiqr Review
• Rescope MDA 1.0 to exclude web service interface

Prioritization

• no guidance from existing board
• new board in place in August so we should be prepared to offer our opinion at the first meeting
• some problem in translating Internet2 assumptions to statements to the board
• major concerns about time we're spending on the infrastructure
• need to have a better plan for IdPv3 especially expected release timeframe

Connection Information

Time: 15:30 UTC

...