September Update

Created by Scott Cantor
Sept 11, 2018
2 min read

The last month has been spent ramping IdP development back up and preparing for a release of V3.4 in October. The number of bug fixes and features is quite large (pushing 150+), so this is a pretty big new release that is intended to bridge to V4 as the next big update. There are a couple of things that haven't made the cut, primarily redesigning the logout behavior in response to a lot of feedback. Both time constraints and the need to maintain compatibility made it appealing to delay that work until V4 when we have more freedom to change the UI in ways that might require a small bit of rework for deployers instead of guaranteeing drop-in compatibility.

In the meantime, there should be enough to keep people busy with V3.4 for a while:

  • A nice HTTPConnector for web services integrations (I built it so I'm biased but I've been using it for Grouper and AWS integration projects and it's been really, really convenient to use)
  • Built-in wiring and convenience functions that make it possible to drive a ton of configuration options using metadata "tags"
  • Non-browser Duo AuthAPI support
  • Improvements to the deployability of the DynamicHTTPMetadataProvider and LocalDynamicMetadataProvider plugins
  • Improvements for embedding scriptlets in a variety of configuration scenarios
  • A new "attended startup" mode that prevents on-disk access to an unlocked or trivially encrypted private key
  • The ability to provision CAS services using SAML metadata for consistency and to support the new metadata-driven configuration mechanisms
  • Added support for SAML proxying constructs to detect/react to proxied SPs and to express upstream proxying to SPs
  • Greatly enhanced context-check interceptor that can handle multiple scenarios at the same time
  • A new impersonation interceptor that supports advanced debugging or testing scenarios
  • Some small features to support the drop-in addition of the under-development GEANT OIDC extension

And more, but that's plenty for now.

We'll be wrapping up work this month, testing over the next couple of weeks, and should be freezing around the end of the month with a release in time for TechExchange in Orlando.

We're also working on a more modular and minimal configuration for Jetty 9.4 that will form the basis of not only the Windows "quick install" package but a maintained/curated Jetty configuration to make deployment simpler on other platforms for people without experience with Jetty. We're not planning to fully "embed" Jetty because that's nearly impossible to maintain over time for mature use as a production web server, but it should be a good starting point for most people.

On the SP front, things have been pretty quiet, so one presumes either upgrades are going reasonably smoothly or people are stuck on software with some known security bugs, but I'll choose to assume the former. There will most likely be a patch update later this year if only because OpenSSL 1.1.1 is now out, and 1.1.0 will be EOL soon.

Both OpenSSL and Jetty are introducing the first iterations of TLS 1.3, which is different enough from TLS 1.2 that it will require some time to digest (pun intended). Hopefully if there are some adjustments needed the less frequent use of the back-channel in the SP should soften the impact.