December Update

The slides presented at CAMP a couple of weeks ago are attached.

Since the last update, a draft of the documentation on the new IdP plugin system has been put together, and we are starting to build snapshots of the current round of plugins to test installation and upgrades.

Work continues on the OIDC plugin configuration and much of the manual work to install it has been eliminated, and additional improvements to bring things in line with existing system conventions are still coming. Some "rough edges" of the original design have been identified and will be ironed out as we make changes for this "official" release. We hope most of this work will be wrapped up this month so we can get to testing the OIDC changes in earnest. Setting up an AWS-based testing environment we can use going forward will be an important part of that work.

The beta announcement of xmlsectool V3 was sent and the official release will occur this month, along with an IdP V3.4.8 patch to wrap up work on the old branch along with some final library updates to get that release on the best possible footing as it sunsets in a few weeks. This will include an update to the last release of Spring 4, which is coming this week.

Jetty 10 and 11 were released this week (the difference between them relates to a major breaking change happening in the Java world from the original javax.servlet APIs to the new Jakarta-based APIs that are replacing them. IdP V4 (and 3 of course) is based on the original APIs and will not run on Jetty 11. We expect that it will run on Jetty 10 but testing that is not a top priority for the moment and we have no configuration examples for that at present and do not plan on extending official support to it until V4.1 at the earliest. It seems likely that moving to the Jakarata APIs and Jetty 11 will be a logical step to take in IdP V5.0, but that's only practical once Spring is updated and likely would happen after Java 17 replaces Java 11 as the next LTS release. So this is all speculative and would be in 2022 at the earliest.

(A similar issue exists with Tomcat, which appears to be moving to Jakarta APIs for Tomcat 10, and so we will be left supporting only Tomcat 9 for now.)

On the SP front, the recent OpenSSL advisory was a non-issue but was a good forcing function to get V3.2 completed as planned before the end of the year. Work is mostly complete but we can take an extra week to fix an additional cosmetic bug or two and do more testing, so it should be out early next week. There have been a handful of additional deprecation warnings added to address some poor choices in configuration names, but not much else is noteworthy for this version.

An ACAMP session was held to discuss the future sustainability challenges surrounding the SP software. The notes reflect a productive, engaged discussion, and we will be contacting the people who have expressed interest in further collaboration on this topic soon.