Shibboleth Developer's Meeting, 2021-11-05

Call Administrivia

09:00 Central US / 10:00 Eastern US / 14:00 UK / 16:00 FI Note unusual time this week due to DST changes

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2021-11-19. Any reason to deviate from this?

60 to 90 minute call window.

This week's call will use the Zoom system at GU, see ZoomGU for access info.

@Ian Young JPAR-195: Review and simplify release profileOpen
@Rod Widdowson @Philip Smart Site builds (which generate java doc and run weekly) x Nightly builds (which consume javadoc) x version revision == broken nightlys
Maven Central Repository - see my (Tom) section below for details - do we want to :
- (a) publish our repo URL in the POM and maintain long-term / forever-ish ? in a profile not activated by default ?
- or (b) remove from POM and publish our repo URL in the wiki as documentation for developers to add to ~/.m2/settings.xml ? (that’s my suggestion)
Quick q: did/do we intend to remove the jvmTrust option for LDAP authentication?
Quick item I will be taking to the Board

Add items for discussion here

JSATTR-6: SAML AttributeQuery DataConnectorOpen
- Working on putting together the lower-level bits for the attribute query, based on work we did for artifact resolution

JOIDC-21: Use token authentication for OIDC dynamic client registrationClosed
- Quite a few iteration rounds of metadata policy resolution with the new resolver structure in oidc-commons
- Finally an initial version of the extended dynamic registration profile configuration with metadata policy resolved from a file (wired together via postconfig.xml)
- Will create new (sub)tickets to oidc-commons and OP regarding this metadata policy concept

Slowly getting back into the Fargate/Jenkins work
Looking into possible yum-related improvements to avoid repeated contacts to upstream repos

Still JCOMOIDC-23: Add OpenID Provider Configuration Document ResolverOpen
- Implemented a number of changes thanks to feedback from @Henri Mikkonen .
  - He has some very early success using it for Metadata Policies.
- Is messy to XML-wire given all the strategies and how general it is, but parent bean config helps.
Made small steps with OIDC-RP.
Will have lots more time w/c 15th Nov. for the foreseeable.

Santuario release done (and done again)
Bumped log4shib to fix some modern compiler issues
Most of SP work is done unless I can think of something else to actually deprecate (vs. all the stuff I really want to deprecate)
- Tested cpp-linbuild process successfully
IdP odds and ends

Maven Central :
- Looks like we will not publish artifacts to Central due to indemnity clause in ToS :
  https://central.sonatype.org/publish/producer-terms/
- Priority is to firewall our Nexus instance and host our repo via Apache at :
  https://build.shibboleth.net/maven
  - for backwards compat with our POMs will need to redirect
    - https://build.shibboleth.net/nexus/content/groups/public
      to
      https://build.shibboleth.net/maven/releases
    - https://build.shibboleth.net/nexus/content/repositories/snapshots
      to
      https://build.shibboleth.net/maven/snapshots
    - https://build.shibboleth.net/nexus/content/repositories/thirdparty-snapshots
      to
      https://build.shibboleth.net/maven/thirdparty-snapshots
    - and remove thirdparty/ when “Rod’s Rules” are in place
As to whether someone else publishes to Central (for us), I think they would need to indemnify us but we do not really exist (as a legal entity).
Looking for confirmation - technical details in the agenda above.
Making some progress running Nexus/Jenkins in ECS/Fargate using Docker Compose (which wraps CloudFormation) - is that ok ?
- Plan is to use docker-compose.yml as infrastructure-as-code, open to alternatives (awscli, AWS console, Terraform) but this seems simplest / easiest.
Working through IdP browser tests in Jenkins with Jetty 9.4 versions (a) up to 9.4.43 as well as (b) 9.4.44 and up (conditional build step to inject idp-jetty-base version)