Shibboleth Developer's Meeting, 2019-11-01

Brent

• Looking at Scott's SAML proxy flow stuff.  Will probably have detailed questions soon.
  
  • Testbed
    • Jetty 9.3 vs 9.4 - prefer or recommend one or the other?
    • Eclipse requirements? The Jetty 9.4 mentions Eclipse 2019-06 - is this a hard requirement?

...

• Finished testing all views when CSRF protection enabled - CSRF FlowExeuctionListener testing, all views overview
• Cleaning up implementation Anti-CSRF FlowExecutionListener Implementation. Not quite my best effort yet, but pushing it to (git@git.shibboleth.net:philsmart/java-identity-provider branch feature/anti-csrf-flowlistener) for review by an interested party.
  • Questions
    • Currently, if enabled, affects all views unless they are excluded. As this will be disabled by default, risk that changes that appear to work will break when enabled (which a deployer may have chosen to do). Is it best to use includes views over excludes.
      • Would need to ensure good integration tests for view. 
      • Not as tight security wise, but the IdP has a low risk of CSRF anyway...
    • I need to be clear which views are going to be included (although is in the big table above, probably needs better communication).
    • If deemed usable, how does this get fitted into the IdP e.g. requires changes to views in addition to system config.

Rod

• Jira Legacy
  server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key IDP-1499

    (and related) Just needs testing

• Jira Legacy
  server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key IDP-1516

• LDAP test failures in eclipse..  Status?

...