Shibboleth Developer's Meeting, 2019-07-19
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2019-08-02. Any reason to deviate from this?
60 to 90 minute call window.
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
Add items for discussion here
- (Phil) Around for the first 45 mins. Can discuss Anti-CSRF implementations if there is time (CSRF Mitigation Options)
Attendees:
Brent
Daniel
Henri
- On vacation, unable to attend the call today
- Updated the Wiki page regarding OIDC RP as EntityDescriptor: /wiki/spaces/DEV/pages/1177321591
- The plan is to use EntityDescriptor (client_id is entityID), UIInfo (for instance client_name is UIInfo/DisplayName) and custom role descriptor. The table of claim/XML-element relationships and the initial draft of the XML schema can be found from the page.
- The implementation still in progress: extended SAMLPeerEntityContext and SAMLMetadataContext are exploited by the actions.
Ian
Marvin
Phil
- In addition to view and form based CSRF protection, looked at a simple AccessControl mechanism for the RESTful admin endpoints: API Key Access Control
Rod
- Travel
Scott
Tom
Other