2011-03-24
Developer Call Notes - February 10, 2011
Attendees: Daniel Fisher, Jim Fox, Nate Klingenstein, Chad La Joie, Brent Putman, Rod Widdowson, Ian Young, Tom Zeller
Developer's Face-to-Face Meeting: Chad La Joie
- A closed-to-the-public, face-to-face meeting, will occur on April 18th, at the I2 Member Meeting.
Metadata Query Metadata Provider for IdP v2.3: Chad La Joie
- The current version 2 APIs are not suitable for this type of metadata provider. Work on this has been tabled until version 3.
LDAP Interface to Attribute Resolver: Tom Zeller
- topic from email on dev list
- Many applications query LDAP for attributes, is there a way to "skin" the IdP with an LDAP interface in order to work with such applications?
- OpenLDAP and ApacheDS have pluggable backends
- Attribute resolver is not designed to be queried; this may lead to an LDAP interface that only supports LDAP filters with a single predicate
- Tom Z will write up further thoughts on this and send it to the mailing list
External Authorization Manager: Tom Zeller
- topic from email on dev list
- use a XACML PDP to externalize authorization policies; PDP may be controlled independently of application
- potentially use XACML as attribute filter policy language in IdP; a plugin was available to do this in IdP v1.3
- SAML predicate work being proposed by IBM, Zürich on the SAML and XACML mailing list may also be applicable
External Authentication System Login Hander for IdP v2.3: Chad La Joie
- Brad from UWisc submitted SIDP-448
- Chad implemented this as a new login handler
- it's important to note that the parameters based by the new login handler could be messed with by a malicious user and so should be treated as strictly advisory information for the external authn system
- Jim noted that if you wanted to always defer to the external authn system you could use this login handler and turn off the previous session login handler
Spring WebFlow use in IdPv3: Chad La Joie
- Chad has spent some time looking at Spring WebFlow and consulting with Andrew Petro (Unicon) and believes WebFlow v2.3 may be usable to handle all the profile handler routing and conversation state management logic.
- When Profile Handler work begins on IdPv3, the developers will attempt to use Spring WebFlow
Upgrade Authentication Method on Existing SP Session: Jim Fox
- Jim asked if it was possible to "upgrade" an SP session's authentication mechanism (e.g., user is currently logged in with username/password and now they should be logged in via OTP for what they're trying to do)
- Nate noted you could use a session initiator for this; force authentication and request the new authentication method
- This does create a new session at the SP and thus might come with different attributes which could confuse some apps
IdPv2.3: Chad La Joie
- Rod has checked in JSP taglibs that provide easy access to MDUI and contact person data for the relying party
- Rod will check in an update example login page for the IdP that uses new tag libs and renders a "pretty" page
- Brent will attempt to address his outstanding v2.3 tasks next week
OpenSAML in Maven Central
- Colm O hEigeartaigh is working with us to get OpenSAML in to Maven Central as he works to update WSS4J to use OpenSAML2
- Going forward we will try to publish artifacts in Maven central but if we run in to a case where, for technical reason, we need to use libraries that are not in Maven Central then we'll use those libraries and no longer publish in Maven Central
Next meeting: April 7, 1600UTC