January Update
- Scott Cantor
We were unusually busy in December handling a few different security issues and patches and a few work items.
The SP received a long gestating update to add support for OpenSSL 1.1.1 that turned into a security release at the last minute due to a regression introduced in V3. We haven't done significant testing yet, but these OpenSSL and curl updates theoretically add support for TLS 1.3 for the first time. I've done a bit of investigation into the possibility of HTTP/2 support and it turns out that curl doesn't really support it natively, it's only supported through the addition of another library. I haven't seriously entertained the thought of adding that to the mix; I don't think there's sufficient benefit from doing so at this point. The advantages of HTTP/2 don't really apply to the SP's use cases for outbound HTTP traffic, and technically it isn't even allowed by SAML's SOAP 1.1 binding. The TLS 1.3 support is more relevant long term.
The IdP has continued to receive patches due to a combination of security issues and regressions, most of them due to a late decision to deprecate some syntax we probably should have left alone, but c'est la vie. Another patch is coming this week to fix two more regressions identified by deployers.
I completed most of the planned Logout enhancements, and the changes are largely if not completely backward-compatible with the existing view templates, which was unexpected. Since these are V4 features, we don't have updated documentation yet, but there are essentially just some new messages and a property or two that control the sequence of events and the choices presented to the user during logout, and it's now possible to preempt the entire operation if you want to give the user that option, which was, oddly, requested by a number of people.
We haven't seriously opened up the V4 branches for larger work yet, but that's imminent, probably starting with the move to Java 11 as our development baseline. A feature branch was pushed containing an OIDC login flow and I'll probably merge a version of that pretty soon. I was greatly disappointed, though not surprised, to learn how little actual support for OIDC exists among the major social identity sources but we're not going to get into the business of supporting one-off protocols in our core code. I would anticipate us producing unsupported examples as add-ons to demonstrate the non-standard ones that are of interest.
I don't have a real update regarding the broader OIDC support, but if it's not already been finalized, I expect the add-on will be getting a 1.0 release soon.