...
The Duo plugin upgrade adding dedicated single-factor passwordless support is now available.
The WebAuthn plugin has reached beta status while work continues on a few final additions such as better auditing support. With the plugin largely stable now, testing can be conducted using nightly snapshots, allowing any bug fixes to be immediately available. As I mentioned in May, we have built a new page to improve project transparency regarding the state of our Java projects and links to the stable and in-development distributions at https://shibboleth.net/cgi-bin/projstatus.cgi. See my note for more on this. We will work on finding ways to expose a pointer to this page wherever it makes sense to do so.
Work has progressed on OAuth PAR and DPOP features in the OP plugin along with other minor improvements. Documentation of the new features is in progress and a release is expected later this summer. That should clear the decks for work to start on the OpenID Federation implementation this fall.
We are close to shipping an upgrading Windows installer for Jetty 12 to replace the Jetty 11 version; testing is underway. We are also starting to explore the possibility of migrating to a plugin-based approach that adds Jetty to an existing IdP.
I am considering a minor SP update this fall to pick up a small number of fixes and substantially freshen the WIndows library set, which is getting increasingly out of date, OpenSSL in particular. Part of this release may include a new release of the xml-security library that has now formally been forked by the Shibboleth Project with the original library retired at Apache due to lack of committers. Taking over the code in fact as well as practice provides more freedom to make changes and possibly remove many unused features (and attack surface). The official transition of that library has not exactly been finalized, but we have published the converted Git repository and any future SP 3.x packages will rely on that fork. It is not inconceivable that we may do something similar to Xerces, but doing so would be more contentious and probably require a formal fork because Apache is unlikely to retire that code (even though it probably should IMHO).
...
I have working (and “sort of documented”) flows for a few early utility tasks, most notably one that will parse the XML-based RequestMap syntax on behalf of agents (which will no longer require native XML parsing support). For now, the RequestMap syntax is largely, though not entirely, identical to the current V3 schema, so exists in a new V4 namespace. The hope is that this will be the extent of agents' reliance on XML as a configuration format, with any other configuration handled in simpler ways.
...