Versions Compared

Old Version 3

changes.mady.by.user Tom Zeller

Saved on

compared with

New Version Current

changes.mady.by.user Tom Zeller

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Shibboleth Developer's Meeting, August 16, 2013

Attendees:  Brent, Ian, Marvin, Rod, Scott, Tom

Call Administrivia

Dial-in attendee identification.

...

60 to 90 minute call window.


Brent

Deep in metadata resolver redesign and impl. Existing providers have been refactored in a coarse way to the new resolver API.  Removed the old metadata credential caching bits, to be replaced by a new mechanism which caches the resolved creds directly on the relevant XMLObject via new "object metadata" API (or other name TBD).

A lot of metadata support design discussion this week on the dev list.  At this point I've warmed to the idea of doing some amount of pre-processing in the batch-oriented resovlers, at least for entityID indexing and converting EntitiesDescriptor/@Name data to a representation on EntityDescriptor.  Now also have general working idea about how to handle Extensions, via a plugin interface.

 

Daniel 

Out today.

Ian

 

Rod

Scott

 Nothing to report.  NOTE I'm going to be away (business travel/vacation/conference) on and off from Tuesday until 10/17.

Scott

Reimplemented SubjectCanonicalizer code as a context-driven webflow. Redesigned the later stages of authentication to bridge to a SubjectCanonicalizer subflow and back to complete the process. Updated the authentication design page with new summary of the steps involved.

Rest of time spent designing a new approach to handling requested authn methods that addresses a lot of constraints with current code and some problems with my early design. All of it is general to any protocol, not just SAML.

Work done:

  • designed a predicate factory and registry approach to plugging in rules for evaluating whether a "thing" supports a requested authentication context class or declaration
  • the "things" we need to examine for support are called PrincipalSupportingComponents, and include flow descriptors, results, and validation actions (the things that actually do credential checking for login)
  • implemented predicate factories for exact matching (all that V2 does) and inexact matching (handles SAML "minimum", "maximum", and "better" operators)
  • built a new context subtype for capturing requested authentication details from the AuthnRequest
  • reworked validation action base class to do a preExecute check for whether the action supports one of the requested authentication types (if the SP requests any)

Work left:

  • redo SelectAuthenticationFlow properly to use Predicates to evaluate flow descriptors and results before using them
  • unit tests
  • Spring examples and testbed testing
  • JSP-based login form support
Tom

This week started off with IP-307 "Move attribute mapper from idp-attribute-filter to new module", which is done in my local workspace. Two distractions : the first is idp-metadata and the second is testng. Also, was out for a couple of days with appointments, and it looks like the month long infrastructure outage is resolved, there was like 80% packet loss at the upstream node.

...

Anyone : what is the largest metadata we support ?

Note : Rod is going to keep point on Resources, for when he returns. Added subtask IDP-308 "Review and conclude Resource discussion" to IDP-298 "Review Resources and their use", to follow up on Columbus discussion.

Note : Need to understand and mock-up sub-flows.

Other