January 2024 Update

We are (mostly) back from holidays and back at it. The plan is still to target late January for the next set of releases but we have some work going on that might benefit from further IdP enhancements so we’re staying flexible, and there is no particular urgency right now.

I’ve covered most of this before, but the active work right now consists of:

  • IdP/OpenSAML 5.1, relatively small enhancements along with bug fixes for the couple of regressions raised since 5.0 was released.

  • Significant enhancements and bug fixes to the OIDC OP plugin, including a first implementation of OIDC logout support, further support and fixes for unregistered clients, and several other fixes and enhancements.

  • Ongoing development work on the first version of a native WebAuthn plugin.

  • Enhancements to the DuoOIDC plugin to support a new passwordless/WebAuthn “mode” of operation.

All of the plugin work is of course targeted at IdP V5.0 and above; we do not have plans for further feature development on the V4 IdP or plugin branches, though we continue to support them of course until this fall.

Most, if not all, of the new work has landed on the main branches (for those adventurous types so inclined to test snapshots).

I described a bit about the Duo work last month, and I am happy to report that most of the development on that experiment is done and it appears quite promising as a passwordless solution for Duo subscribers. After evaluating some of the options, I chose to take the approach of enhancing the Duo plugin itself rather than attempting to create a lot of examples or (even worse) a new plugin to maintain. The result appears to be relative simple to adapt and use in existing MFA workflows. The DuoOIDC login flow has been extended to support a “passwordless mode” of operation that adds an additional view to collect the username, test for eligibility, and provides the user the option to select either passwordless or “traditional” authentication (generally password + Duo in most cases).

I developed a couple of username recovery mechanisms, mainly an encrypted cookie, to cache the username after a successful login so that future logins on a private device automatically populate the username, so once primed, logging in is generally as simple as hitting the Return key and then completing the passwordless challenge. IdP V5.1 includes the same support in the password login flow, so things work better together, but the updated plugin won’t strictly require that version.

Documentation for this work is under development at https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3360686194and there is still some testing to complete, but I’m optimistic and very happy so far with the minimal effort it takes to deploy it. There are a lot of new properties and beans for edge cases, but in practice it’s largely property-driven and a matter of UI localization more than anything else. I would expect an updated plugin release in early February.