/
September 2025 Update

September 2025 Update

Since the last update, we have made progress on a number of fronts:

  • Re-enabling web access to our source code and investigating other options

  • Multiple IdP patches and publishing our plan for scheduling future releases

  • Resumed work on OpenID Federation to support federation pilot activities

  • Continued work on SP 4 documentation and design improvements

  • Began initial work on SP 4 OIDC support

After the UK Federation registered our SP, we re-enabled access to our GitWeb interface behind it, and have not experienced any further degradations that we are aware of. Shortly after this, we internally identified Codeberg as a possible direction to go in mirroring our source code, and perhaps eventually moving to it authoritatively, and have started experimenting with that possibility. Notably, Codeberg offers open source projects many of the same benefits of GitHub but with no requirement for indemnification.

As I wrote in July, we had to revisit our release plans (and do some testing) to determine how to respond to Spring’s changing support timeline. Our https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/4570349571was announced and published a few weeks ago and we released IdP V5.1.5 with Spring 6.2.9 shortly after. Unfortunately, a Spring security issue was published immediately after, and we received a security report regarding CAS just after that, so it took several weeks to get that addressed and V5.1.6 was finally released this week along with the CAS advisory. Thank you to Unicon and Mike Grady in particular for helping to get the patch tested quickly.

Work continues to enhance and polish the OpenID Federation support, and we have started to work on refactoring it into separate modules or plugins if we can to better isolate it for maintenance and delivery if we can. The intial development work was OP-specific and implemented inside the OP plugin and it will eventually be needed for other use cases (the SP in particular), so refactoring now will hopefully save time later.

While not that visible, a lot of work has been done on the SP documentation. While there are some isolated portions of the older documentation that will eventually be reusable, most of the documentation is brand new, both because the SP configuration is changing so much but also because of the desire to address community feedback over the good and bad aspects of our older documentation. We are spending a lot of time working on a better separation between “basic”, “intermediate”, and “expert/reference” material for the new version and I think it is shaping up fairly well, though it’s still early. The agent documentation is publically visible, though far from done, but the hub documentation is still internal for the moment as it’s in a less reviewable state. It should hopefully be public soon, but it’s much more complex to document due to the higher degree of inherent complexitty in the hub.

I was able to implement an additional round of code refactoring to address issues with the configuration that I recognized in trying to document what had been done. If I can’t document it easily, it isn’t going to be easy to use, so the feedback cycle there is continuing, but I’m much happier with the results now and believe it’s much closer to a final design now.

It’s still my hope that an alpha release will be achievable this calendar year, but it will ultimately be done when it’s reached the appropriate level of maturity to be worth people’s time in testing.