December 2023 Update

Created by Scott Cantor
Dec 12, 2023
2 min read

Work continues to finish the backlog for the release of IdP (and OpenSAML) V5.1. As we approach the holidays, we expect to hold off finishing these releases until January to give us a bit more time to add features and avoid a crush around vacations. These are minor upgrades (and patches) that are definitely not comparable to the significant changes that occurred in V4.1. The new work is largely documented at this point (https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199510790 for the CSP changes, https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199510658for the new support for metadata-based Attribute naming overrides).

Additional feature work has continued on various plugins, but we intend to retain compatibility with 5.0 for all plugins to avoid the “coupling” of upgrades. At some point that may change but we will try to retain backward-compatibility as long as we can.

An initial round of work on several work proposals covering 2024-2027 or so have been drafted and will be discussed by the Consortium Board in January prior to presenting options to the membership to determine what future work to take on, and the membership fees required to fund that work and ongoing maintenance. These proposals address, among other questions, whether we will undertake the creation of a new version of the SP software (because of the costs associated not only with creating it but also maintaining and supporting it, which are obviously substantial).

The main area of “new” work right now (prior to planning our next steps with membership) is around FIDO/WebAuthn (that is, “passwordless”) support, in a couple of different directions. A fully native plugin is under development now and will hopefully see early release next year. This work, like most of the “custom” extensions doene by various deployers to date, is based on the Yubico Java libraries. We will be basing the persistence layer for tokens on our StorageService API, but will supply a more abstracted API for accessing and updating the registrations to support our own primitive UI efforts as well as third party work.

The other direction of work being done in parallel involves more of a documentation/prototyping/example effort around how to use the existing features of the IdP and the Duo plugin to support the use of the “standard” Duo second-factor service as a passwordless solution, as their Universal Prompt does support WebAuthn fairly well at this point. Much of this work was driven by a community member who has graciously donated his work in progress to the project to evaluate and polish up a bit, and we will publish the results of this in some form. It may involve some new features, but is primarily an exercise in putting existing features together in a novel way. This should be an obvious direction to take for deployers that are committed to the Duo solution long term. We expect some results on this by January or February.

Please enjoy a happy and healthy holiday season and I hope we continue to help you all achieve your goals while delivering software you don’t have to worry about breaking in the middle of the right.