Shibboleth Developer's Meeting, 2019-11-01
Call Administrivia
09:00 Central US / 10:00 Eastern US / 14:00 UK / 16:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2010-11-15. Any reason to deviate from this?
60 to 90 minute call window.
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
- Ian Young - JPAR-140Getting issue details... STATUS summary
Add items for discussion here
Attendees:
Brent
Daniel
Henri
- The OIDC plugin certification finally completed, see https://openid.net/certification/#OPs
- Worked on the ways to configure RP's public keys into SAML metadata, currently three ways:
- via RoleDescriptor/KeyDescriptor (using OpenSAML's InlineX509Provider and RSAKeyValueProvider)
- via (custom) RoleDescriptor/JwkSet -element: contents expected to be base64-encoded JWK
- via (custom) RoleDescriptor/JwkSetUri -element: URI to the endpoint where JWK can be fetched
- Next release (v1.1.0) targeted before TechEx
- The GÉANT BSD license will be switched into Apache 2.0
Ian
Marvin
Phil
- Finished testing all views when CSRF protection enabled - CSRF FlowExeuctionListener testing, all views overview
- Cleaning up implementation Anti-CSRF FlowExecutionListener Implementation. Not quite my best effort yet, but pushing it to (git@git.shibboleth.net:philsmart/java-identity-provider branch
feature/anti-csrf-flowlistener
) for review by an interested party.- Questions
- Currently, if enabled, affects all views unless they are excluded. As this will be disabled by default, risk that changes that appear to work will break when enabled (which a deployer may have chosen to do). Is it best to use includes views over excludes.
- Would need to ensure good integration tests for view.
- Not as tight security wise, but the IdP has a low risk of CSRF anyway...
- Currently, if enabled, affects all views unless they are excluded. As this will be disabled by default, risk that changes that appear to work will break when enabled (which a deployer may have chosen to do). Is it best to use includes views over excludes.
- Questions
Rod
- - IDP-1499Getting issue details... STATUS (and related) Just needs testing
- - IDP-1516Getting issue details... STATUS
- LDAP test failures in eclipse.. Status?
Scott
- - IDP-1511Getting issue details... STATUS
-
-
IDP-1494Getting issue details...
STATUS
- Work progressing on production of authentication result, implications on subject c14n, additions needed to support obvious use cases
- Considering generic extension point to turn Assertions into arbitrary IdPAttribute data to include
- Inbound filtering seems to hold up (issuer is proxied IdP, requester is proxying IdP)
- Starting to hit the interesting questions, e.g. when did authentication take place re: lifetime for SSO in IdP
- Work progressing on production of authentication result, implications on subject c14n, additions needed to support obvious use cases
Tom
Other