April 2023 Update

Created by Scott Cantor
Last updated: Apr 12, 2023
2 min read

Most of the last month has been taken up by the continuing audit of the code base (OpenSAML chiefly now) for unstated or incorrectly expressed null constraints to tighten up the code and address various lurking bugs and inconsistencies. These kinds of changes often involve subtle changes to the public API so they have to be done in major releases, and so we have limited windows to do this sort of cleanup. One of the open questions is what to do with the XACML code in the library, which has never been used by the project in any capacity. Cleaning all that up is not work we can justify, but leaving it in place doesn’t sit right either, so it may end up removed from the library and published somehow in an unsupported capacity for anyone that needs it.

Once that work is done, we will be ready to really start testing the refactored code in some real world environments to review exactly how pervasive the changes seem to be for deployers and possibly start forking the documentation for V5. There are still a decent amount of significant backlog items left to complete so we’re not really even close to a beta at this point, but we do want to start moving things along. We will also begin testing the IdP on Jetty 12, which is in beta, and produce the documentation/examples needed for that container.

We are a little behind on getting the new OIDC plugins shipped but work on those is wrapping up finally and after a bit more review, they should be ready hopefully by the end of April. It has been unsurprisingly tricky to align everythiing so that both the OP and RP plugins can co-exist because of the configuration overlaps, something we never had to really deal with for SAML since it’s part of the core software.

Note that both the IdP and SP (on Windows in the latter case) received security patches over the last month. Neither issue was hugely significant, but the IdP problem involved an accidental commit (by me) and demonstrates the need for a bit more care while testing new features. It could have been much more serious.