November 2022 Update

Relatively short update this month, as we’ve mostly just been continuing with existing work projects.

The OIDC feature update should be out shortly, just some final cleanup work left to do in cooperation with partners working on new functionality separately for eventual inclusion in our code base. A testable snapshot of the OIDC RP plugin is available as development on that wraps up. See for details.

With the holidays coming up, we may or may not end up shipping IdP V4.3 this year, as there’s no significant rush and a lot of attention is split right now among other deliverables or longer term projects.

The most interesting activity this month was the rare occurrence of a new SP release. This was not a particularly urgent need, but we were prepared to react to the recent OpenSSL 3.0 advisory, which was initially graded at critical, but ended up high and arguably might in fact be moderate at best. They erred on the side of caution, so we did likewise, and it made sense to go ahead and roll up a handful of fixes and enhancements and ship a new release. Patching to this version should be a non-event.

Notably, I went ahead and uploaded ARM-64 binaries to all of the actively supported platform repositories, as several organizations have expressed interest in that architecture to potentially save money on cloud costs. We have little or no experience with these packages so they are officially unsupported for the moment, but based on feedback we will consider moving them into the partially supported category (i.e., supported for consortium members). Building them is not a problem, so testers should be confident we will continue to supply patched versions if it becomes necessary.

Another call out: we have a package set for the current prerelease of Amazon’s 2022 Linux platform and the repository generation script presents that option for testing as well.

Another noteworthy mini-project was an effort I undertook last month to clean up and automate most of the current content in the IdP's web.xml file. This will be part of the V5 release. Aside from the clutter, the sheer number of references to a variety of Spring and Shibboleth classes has made upgrades more difficult than we would prefer, and has actually been among the more common sources of breakage during upgrades. Fixing this once and for all has been priority, so a number of new classes have been built to offload most of the content of the file into “initializers” that are automatically detected by newer containers. This hides all of the gory details and provides the ability to use properties to configure the relevant filters and servlets where necessary. Plugins will also be able to automatically inject their own content in most cases. More testing is needed but I believe the changes will be compatible with existing deployments.