The past month has been spent getting betas of the IdP and all our plugins available for testing and getting ready for the V5 release, which is expected to occur over the course of this week. Nothing significant has come up while testing, though thanks to a member reporting a problem when Duo fell over a couple of weeks ago, we identified what is probably an HTTP connection leak that happens mainly when certain kinds of connection failures occur. That’s been fixed for the release obviously.

The initial EOL date for V4 is probably going to be set at a year out, consistent with past major releases. Based on how some of our own upgrades have been going, it is likely if not certain that we may reduce this further simply to free up time that can be better spent on new work than issuing patches. So far the upgrade process has been very smooth, and this appears to be the least impactful major upgrade in the project’s history. Ultimately we are driven by the feedback we get, so these plans are based on only our own internal sense of what the upgrade looks like and is always subject to revision. Even if it costs us some support time to help members upgrade, that’s time better spent than patching old code.

Of course all of the plugins are ready to go and we have re-run the OpenID certfication tests on both the OP and RP successfully. Note that:

  • All plugins will require updating after the upgrade. The installer notes this.

  • Some plugins are more or less required now due to changes, such as the need for a scripting plugin for Javascript support due to Java changes, and the need to migrate to the JDBC storage plugin if currently using the older Hibernate/JPA-based option, which has been removed.

The OP includes some small and some not-so-small improvements and new features that will take some time to document, but we are moving toward what I consider the holy grail, the ability to operate the OP without any form of client registration or metadata at all for internal, commonly-configured services. That will never meet all needs, but if 95% of the clients one supports can be defaulted, that’s a 95% work reduction compared to other OP implementations.

The next steps for the project, aside from obvious things like possible patches to the older software and a few backlogged work items, are going to be to get the roadmap in order and start producing some estimates for our potential future work which the Board will work into budget proposals for the membership to consider. We have plenty of work to keep us busy will that gets done, but we need to make some decisions by early to mid-2024 before we go too far on any major work items.

Among the more obvious candidate work items are:

  • the SP redesign

  • a plugin for FIDO 2 / WebAuthn support

  • a user profile capability that likely will include self-management of features like consent and the aforementioned WebAuthn features

  • various OAuth enhancements and additions (e.g., proof of posession tokens)

  • OIDCfed support

  • some kind of plugin to deliver a working Jetty container

  • the usual documentation backlog

  • code auditing

I will be at TechExchange in Minneapolis next week to present a project update along with sitting on a couple of panels, so I will see some of you in person for the first time in a few years.

A final note: Albert Wu of Internet2 has managed to recover a long-lost artifact, the original (and insanely overspecified) Shibboleth Message Flow diagram, and for a limited time it’s once again available on clothing for people who truly don’t care what others think of their wardrobe.

https://www.bonfire.com/shibboleth-message-flow/

(Notably, there’s no money coming back to us from this, so don’t buy one as a donation.)