September 2024 Update
- Scott Cantor
Firstly, a reminder that IdP V4 has reached EOL as of last week. There will be no further updates to the old branch regardless of any issues that arise.
Secondly, a notable issue was “revealed” by a bug fix included in V5.1.3. The OIDC OP plugin depends on the Nimbus library and we discovered a bug in the library that impacts our software’s ability to properly issue responses that causes cookies we set to go missing. This manifests, generally, by preventing SSO when initially accessing an OIDC client and then accessing additional services. (We have the bug fixed for the next OP plugin update, which is imminent.) The OP release notes outline the issue and some options in some detail.
A number of small plugin updates have been released (Rhino, JDBC Storage, TOTP), along with the initial production release of a Jetty on Windows installer for Jetty 12. The most notable issue with the latter is dropping support for client TLS authentication via SAML metadata, which required a separate port. We have no plans to drop support for any of the use cases that generally operated over that back-channel, but require the few deployers that rely on them to migrate them to port 443 and the use of message signatures (as with all the OIDC back-channel profiles that rely on the primary port already).
We expect the next OP plugin update and the first official WebAuthn plugin release later this month.
I am beginning some work on a refresh release of the current SP (it will be V3.5) to address a few small bugs and to refresh a number of libraries on Windows to get things current again. I will most likely move to the latest production OpenSSL version at that time. The point of the minor version bump is mostly to reflect that new minor versions of several libraries may be involved in the release, and allows a setting or two to be added. It is not expected to be a significant release for deployers. It will probably take a bit of time to prep this, so “maybe October?” is my best guess at this time.
In parallel, work has continued on the SP redesign and I am deep into the process of building out a response handling flow and a subflow implementing SAML 2 processing. As I had hoped, the majority of the Java code needed to validate the response has been almost entirely reused from the IdP’s proxy support. I have completed work up to the very end of the flow, which begins to diverge into new code that is mainly about extracting Attributes from the response message, running the Attribute Resolver to pull in additional data, and eventually packaging ip the resulting data for the agent.
I have begun to work through some of the design questions around handling of sessions by the existing agents that require that capability and have settled on attempting to make this work with the simplest mechanism possible, namely storing session data in files. That immediately solves multi-process web server concerns, and a distributed file system is one possible clustering solution of course. I have always avoided this in the past (it isn’t supported now, obviously), but it is the most common way other Apache modules solve this problem, and if it scales well enough, it radically simplifies development and deployment. I don’t expect this will be the only possible solution supported, but in terms of the “primary” approach, it’s the most likely one at this point.
I’m still hesitant to say we’ll have demoable code by the end of 2024, but I would say that a production release of SP V4 is starting to feel possible by the end of 2025, and certainly no later than mid-2026. That would probably put us in a position to sunset the current code base by 2029, if not sooner, depending on how successful the new design turns out to be.