Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Shibboleth Developer's Meeting, January 24, 2014

...

Attendees: 

 

Call Administrivia

10:00 Central US / 11:00 Eastern US / 16:00 UK

Dial-in attendee identification.

...

  • Tracking the C14N discussion and NameID generation stuff.

Scott

  • Redesigned how authn and subject c14n "connect" so it resembles configuring authentication itself
  • More flexibility, each login flow can potentially connect to >1 c14n flow
  • Allows SAML subject -> principal mapping process to be configured the same as login subject -> principal mapping
  • Would like to deprecate PrincipalConnector

  • Created a new NameIdentifierGenerator plugin API to move NameID generation out of resolver
  • Implemented a Default generator for SAML 1/2 that pulls data from attributes (String, Scoped, XMLObject) and builds a NameID
    • will support any Format specified
    • supports NameQualifiers and option to omit them if defaulted or not set
  • Plan is to build a multi-map of Format to Generator in subject-config.xml (name TBD)
    • SAML actions will combine nameIDFormatPrecedence from profile config + SP metadata + SAML 2 NameIDPolicy to compute Format prefs
    • try each Format, test Generator as Predicate to see if applies, try it if it does
    • take first non-null result
  • Transient / Persistent can be done as dedicated plugins ideally, would like to move them into idp-saml-impl
  • Need to look at sharing code between legacy plugins for Transient/Persistent and new ones, seems like should be straightforward
  • Legacy generator to pull from NameIDEncoders from resolver results

Goal is to have a new Spring config to control all aspects of Principal/Subject mapping and translation, mostly about SAML now but eventually would include other techs as needed (or never touched again)

 

Tom

  • Somewhat at a stopping point with the SAML 1 flow, need guidance regarding inbound and message handlers.
  • Worked on flow "unit" tests, not sure if executing flows manually will be that useful, perhaps running a test SP and IdP via embedded Jetty will be.
  • Note about using bean "dev" profile in ipaddress-authn-config.xml
  • Question about SWF being "recursive" 
  • Annotations as documentation-only for non-test code.
  • Comment on Fuze audio, going silent takes some getting used to.
  • Oh...now I understand, I think, why we had Services.

 

Other