October Update
In the last month, the APIs and design of the new IdPModule and IdPPlugin features have firmed up and we have completed converting all of the "likely" candidates for modularization in the core feature set. Much of the XML configuration across the admin, login, interceptor, and c14n flows have been reduced or eliminated in a backward-compatible way in favor of properties for most simple settings, and any remaining XML files for those features have been buried within modules and will be left out by default.
A lot of documentation updates need to be done to update things without totally disrupting existing readers, but we have a strategy using tabbed content that seems to be non-intrusive (see AuthenticationConfiguration for some examples). The changes are really just to how existing settings can be applied, not so much to function or features, so hopefully this won't be viewed as disruptive despite the volume of changes. Note that properties can be injected externally much more easily, which is hopefully of some value to those using Docker.
The TOTP and Duo Universal Prompt plugins are nearing feature completion and are on track to ship alongside this release and work will hopefully get underway this month to prepare the OIDC extension for its final "official" form as a project-delivered code base (as we have warned, there will be changes required for those who have deployed the earlier releases but we will try to minimize them). That work, documentation, and testing are the main blockers to get V4.1 completed, and a 2020 release is not impossible, though probably a bit aggressive.
At this point we expect to deliver at least one "final" 3.4 patch update to close out the legacy code branch before the end of the year and leave things as clean as we can, but we do not anticipate there being flexibility about the EOL date because Spring's plans haven't changed. We want to reinforce that trying to create a "clean" slate to upgrade from V3 to V4 is an absolute mistake. We urge people in the strongest possible terms NOT to worry about "cleaning up" anything but the things the log warns are deprecated or that are highlighted in the Release Notes. The V4 horizon is not expected to be short and there's plenty of time later to worry about cleaning up or updating settings.
On other fronts, we are working on a refresh of the xmlsectool utility to rebase it on the Java platform used by the V4 IdP as we get closer to sunsetting the older platform.
We also have some accumulated fixes to the SP and a couple of member-requested features that will probably result in a V3.2 by the end of the year. We are hoping to be able to move to a new, more automated build process for the packages with that release.