Famous last words as we had to ship yet another IdP V3.4 security patch last month to address a memory leak, which required an unfortunately disruptive change to the classes supporting the External authentication flows. We don't take making breaking changes lightly, and do apologize for not fully recognizing the risk of impact to third party plugins, but it was a good chance to remind people that it's just not safe or supportable to directly copy most of our flow definitions because they include non-public classes that are subject to change. We're happy to work with people on-list to provide any missing extension points needed if they're consistent with our goals.

Work on IdP V4 has continued aggressively of late, and the installation changes are wrapping up, which should position us to ship without any major required work items left holding things up.

A new feature I just completed that's worth highlighting: it will be possible in V4 to split one's metadata configuration such that metadata filtering rules can be separated from core metadata provider configuration, allowing a separation between core federation-delivered metadata service definitions from local deployer-created filtering rules.

A few significant updates on the plans for V4:

  • We're definitely not intending to ship the OIDC add-on in this release, but will work to ensure a compatible version of it is available at the same time as the release along with additional support for use of SAML metadata to manage relying parties. The final integration into the code base will be a major V5 work item.
  • We are optimistic that we will be able to provide a first iteration of SAML proxy authentication support in V4, as the work has proceeded well to this point and we don't foresee any hold ups. It may not be 100% feature-complete, but will be usable certainly, so we can evaluate whatever else might be necessary.
  • We continue to expect a seamless or near-seamless upgrade path to V4 from V3.
  • We are hopeful of reaching a very late alpha or hopefully beta release by the TechExchange conference in December, and expect to release by early next year. We could probably make an earlier date, but the extra time will help with testing and documentation.

Some on and off work on the SP has been occurring, mostly in response to a serious crash under load caused by a bug in the newly introduced cookie session recovery feature. The fix is done, but we're probably looking at a V3.1 SP release towards the end of the year simply because of resource constraints. We would like to get a new RPM packaging process in place before doing another release, so that will take some extra time to manage. We do have packages available for CentOS 8 for the time being.