Shibboleth Developer's Meeting, August 16, 2013

...

Brent

Daniel

Ian

Rod

Scott 

Reimplemented SubjectCanonicalizer code as a context-driven webflow. Redesigned the later stages of authentication to bridge to a SubjectCanonicalizer subflow and back to complete the process. Updated the authentication design page with new summary of the steps involved.

Rest of time spent designing a new approach to handling requested authn methods that addresses a lot of constraints with current code and some problems with my early design. All of it is general to any protocol, not just SAML.

Work done:

• designed a predicate factory and registry approach to plugging in rules for evaluating whether a "thing" supports a requested authentication context class or declaration
• the "things" we need to examine for support are called PrincipalSupportingComponents, and include flow descriptors, results, and validation actions (the things that actually do credential checking for login)
• implemented predicate factories for exact matching (all that V2 does) and inexact matching (handles SAML "minimum", "maximum", and "better" operators)
• built a new context subtype for capturing requested authentication details from the AuthnRequest
• reworked validation action base class to do a preExecute check for whether the action supports one of the requested authentication types (if the SP requests any)

Work left:

• redo SelectAuthenticationFlow properly to use Predicates to evaluate flow descriptors and results before using them
• unit tests
• Spring examples and testbed testing
• JSP-based login form support

Tom

This week started off with IP-307 "Move attribute mapper from idp-attribute-filter to new module", which is done in my local workspace. Two distractions : the first is idp-metadata and the second is testng. Also, was out for a couple of days with appointments, and it looks like the month long infrastructure outage is resolved, there was like 80% packet loss at the upstream node.

...