Shibboleth Developer's Meeting, 2019-11-01

Brent

Daniel

Henri

• The OIDC plugin certification finally completed, see https://openid.net/certification/#OPs
• Worked on the ways to configure RP's public keys into SAML metadata, currently three ways:
  • via RoleDescriptor/KeyDescriptor (using OpenSAML's InlineX509Provider and RSAKeyValueProvider)
  • via (custom) RoleDescriptor/JwkSet -element: contents expected to be base64-encoded JWK
  • via (custom) RoleDescriptor/JwkSetUri -element: URI to the endpoint where JWK can be fetched
• Next release (v1.1.0) targeted before TechEx
  • The GÉANT BSD license will be switched into Apache 2.0

Ian

Marvin

Phil

• Finished testing all views when CSRF protection enabled - CSRF FlowExeuctionListener testing, all views overview
• Cleaning up implementation Anti-CSRF FlowExecutionListener Implementation. Not quite my best effort yet, but pushing it to (git@git.shibboleth.net:philsmart/java-identity-provider branch feature/anti-csrf-flowlistener) for review by an interested party.
  • Questions
    • Currently, if enabled, affects all views unless they are excluded. As this will be disabled by default, risk that changes that appear to work will break when enabled (which a deployer may have chosen to do). Is it best to use includes views over excludes.
      • Would need to ensure good integration tests for view. 
      • Not as tight security wise, but the IdP has a low risk of CSRF anyway...

Rod

• Jira Legacy
  server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key IDP-1499

    (and related) Just needs testing

• Jira Legacy
  server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key IDP-1516

• LDAP test failures in eclipse..  Status?

...