Shibboleth Developer's Meeting, 2020-11-06
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2020-11-20. Any reason to deviate from this?
60 to 90 minute call window.
This week's call will use the Zoom system at GU, see ZoomGU for see ZoomGU for access info.
AGENDA
- OIDC plugin - versioning, planning
- Duo plugin - delivery of the two alternative implementations vis a vis the plugin/module system
- EC2 postmortem
Attendees:
Brent
Jira Legacy server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key OSJ-304 - Done, unless we determine otherwise.
Jira Legacy server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key OSJ-207 - Would like to finally knock this one out, should be easy. Already added Base64URL encoding/decoding support awhile back.
- Re Phil's Duo and PKIX work: Maybe we need a different PKIX trust evaluator impl based on e.g. Bouncy Castle, which makes advanced things like dynamic CRL and OSCP easier and more reliable?
...
- xmlsectool 3: will cut a beta in the next week or so
- this will require a release of Java parent and java-support
- will also be doing a scan of xmlsectool's dependencies, incl: Bouncy Castle & Santuario
John
- Started to get oriented to Jenkins
- Working on refactoring Ian's PoC Docker-based SP build system to be driven by GNU Make. Aiming to:
- make the whole thing less monolithic w.r.t. the collection of components that go along with the SP itself
- enable a dev to build everything locally with Docker
- also be drive-able by Jenkins
- couple to Docker loosely enough we can reuse for, e.g., an AWS container-based service, or EC2, or...
Marvin
Phil
I went a bit off plan looking into CRL and OCSP revocation checking - at the expense of some other plugin things, my mistake.Jira Legacy server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key JDUO-18 - Most of the info is either in the ticket or in the email thread - thanks Brent for helping with that.
- Thanks to Brent's IdP changes, revocation checking can be enabled without requiring a static CRL
- Although you **must** enabled one or both of CRL download from DPs, or OCSP, or an approved static CRL - otherwise, it will always fail.
- Needs good documentation to highlight the configuration and issues to the deployer
- Might benefit from some CertPathPKIXValidationOptions checking when injecting the trust evaluator e.g. throw an exception if revocation checking is enabled, but a static CRL (although no way to validate that on startup) or CRLDP or OSCP properties were not set.
removed the auth0 dep, now signs Nimbus JWTs using a - sigh - invalid key.Jira Legacy server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key JDUO-20
...
- Probably should schedule AWS cost review regularly / monthly / quarterly
- Worked on tests, Javas, AMIs
- Looking forward to working on consent
- Should figure out how to backup EC2 instance before patching
- Is it okay to start the instance while the AMI is pending ?
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html
Other