Shibboleth Developer's Meeting, 2019-11-01
Call Administrivia
09:00 Central US / 10:00 Eastern US / 1514:00 UK / 1716:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2010-11-15. Any reason to deviate from this?
60 to 90 minute call window.
This week's call will use the Zoom system at GU, see ZoomGU for see ZoomGU for access info.
AGENDA
- Ian Young
summaryJira Legacy server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key JPAR-140
Add items for discussion here
Attendees:
Brent
- Looking at Scott's SAML proxy flow stuff. Will probably have detailed questions soon.
- Testbed
- Jetty 9.3 vs 9.4 - prefer or recommend one or the other?
- Eclipse requirements? The Jetty 9.4 wiki page mentions Eclipse 2019-06 - is this a hard requirement?
- Testbed
Daniel
- LDAPDataConnector updates for ldaptive
Henri
- The OIDC plugin certification finally completed, see https://openid.net/certification/#OPs
- Worked on the ways to configure RP's public keys into SAML metadata, currently three ways:
- via RoleDescriptor/KeyDescriptor (using OpenSAML's InlineX509Provider and RSAKeyValueProvider)
- via (custom) RoleDescriptor/JwkSet -element: contents expected to be base64-encoded JWK
- via (custom) RoleDescriptor/JwkSetUri -element: URI to the endpoint where JWK can be fetched
- Next release (v1.1.0) targeted before TechEx
- The GÉANT BSD license will be switched into Apache 2.0
Ian
Marvin
Phil
- Finished testing all views when CSRF protection enabled - CSRF FlowExeuctionListener testing, all views overview
- Cleaning up implementation Anti-CSRF FlowExecutionListener Implementation. Not quite my best effort yet, but pushing it to (git@git.shibboleth.net:philsmart/java-identity-provider branch
feature/anti-csrf-flowlistener
) for review by an interested party.- Questions
- Currently, if enabled, affects all views unless they are excluded. As this will be disabled by default, risk that changes that appear to work will break when enabled (which a deployer may have chosen to do). Is it best to use includes views over excludes.
- Would need to ensure good integration tests for view.
- Not as tight security wise, but the IdP has a low risk of CSRF anyway...
- I need to be clear which views are going to be included (although is in the big table above, probably needs better communication).
- If deemed usable, how does this get fitted into the IdP e.g. requires changes to views in addition to system config.
- Currently, if enabled, affects all views unless they are excluded. As this will be disabled by default, risk that changes that appear to work will break when enabled (which a deployer may have chosen to do). Is it best to use includes views over excludes.
- Questions
Rod
(and related) Just needs testingJira Legacy server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key IDP-1499 Jira Legacy server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key IDP-1516 - LDAP test failures in eclipse.. Status?
Scott
Jira Legacy server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key IDP-1511 Jira Legacy server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key IDP-1494 - Work progressing on production of authentication result, implications on subject c14n, additions needed to support obvious use cases
- Considering generic extension point to turn Assertions into arbitrary IdPAttribute data to include
- Inbound filtering seems to hold up (issuer is proxied IdP, requester is proxying IdP)
- Starting to hit the interesting questions, e.g. when did authentication take place re: lifetime for SSO in IdP
- Work progressing on production of authentication result, implications on subject c14n, additions needed to support obvious use cases
Tom
Jira Legacy server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key IDP-1481
Other