Shibboleth Developer's Meeting, August 16, 2013

Attendees: Brent, Ian, Marvin, Rod, Scott, Tom

Call Administrivia

Dial-in attendee identification.

Next call is next Friday. Any reason not to meet ?

60 to 90 minute call window.

Brent

Deep in metadata resolver redesign and impl. Existing providers have been refactored in a coarse way to the new resolver API. Removed the old metadata credential caching bits, to be replaced by a new mechanism which caches the resolved creds directly on the relevant XMLObject via new "object metadata" API (or other name TBD).

A lot of metadata support design discussion this week on the dev list. At this point I've warmed to the idea of doing some amount of pre-processing in the batch-oriented resovlers, at least for entityID indexing and converting EntitiesDescriptor/@Name data to a representation on EntityDescriptor. Now also have general working idea about how to handle Extensions, via a plugin interface.

Daniel

Out today.

Ian

Rod

Nothing to report. NOTE I'm going to be away (business travel/vacation/conference) on and off from Tuesday until 10/17.

Scott

Reimplemented SubjectCanonicalizer code as a context-driven webflow. Redesigned the later stages of authentication to bridge to a SubjectCanonicalizer subflow and back to complete the process. Updated the authentication design page with new summary of the steps involved.

Rest of time spent designing a new approach to handling requested authn methods that addresses a lot of constraints with current code and some problems with my early design. All of it is general to any protocol, not just SAML.

Work done:

designed a predicate factory and registry approach to plugging in rules for evaluating whether a "thing" supports a requested authentication context class or declaration
the "things" we need to examine for support are called PrincipalSupportingComponents, and include flow descriptors, results, and validation actions (the things that actually do credential checking for login)
implemented predicate factories for exact matching (all that V2 does) and inexact matching (handles SAML "minimum", "maximum", and "better" operators)
built a new context subtype for capturing requested authentication details from the AuthnRequest
reworked validation action base class to do a preExecute check for whether the action supports one of the requested authentication types (if the SP requests any)

Work left:

redo SelectAuthenticationFlow properly to use Predicates to evaluate flow descriptors and results before using them
unit tests
Spring examples and testbed testing
JSP-based login form support

Tom

This week started off with IP-307 "Move attribute mapper from idp-attribute-filter to new module", which is done in my local workspace. Two distractions : the first is idp-metadata and the second is testng. Also, was out for a couple of days with appointments, and it looks like the month long infrastructure outage is resolved, there was like 80% packet loss at the upstream node.

I was wondering where to move RequestedAttribute, and decided I should make the class Javadoc more verbose so I remember that it is metadata, since the class is not in a package nor module with the word "metadata" in it. That led me to IDP-302 "Verify and document proposed metadata provider work", because all I know is what was posted to the dev list those three years ago.

My suggestion is to move the CompositeMetadataResolver to OpenSAML, IDP-299, and then delete idp-metadata-api, unless there is some reason why we need a metadata module in IdPv3 and I do not see one at this time. I think Resource based MetadataProviders are okay, especially for extensibility.

Oh, I did update the Configuring Eclipse wiki page with tips on how to install Subversion 1.7 via MacPorts, the instructions there are not totally correct but close enough.

Finally, I got my local workspace mostly correct with regards to idp-attribute-mapper, but there was no one- or two-click way to run unit tests within Eclipse and without using mvn from the command line. So I spent a little time looking at testng xml suite definitions, and I think I can get it working so we can run tests inside Eclipse, sheesh.

Rod : could you update the description for the new Attribute Mapper Component in JIRA, please ? Otherwise I will read the Javadoc and figure it out.

TL;DR Mostly about metadata, attribute-mapper, testng.

Anyone : what is the largest metadata we support ?

Note : Rod is going to keep point on Resources, for when he returns. Added subtask IDP-308 "Review and conclude Resource discussion" to IDP-298 "Review Resources and their use", to follow up on Columbus discussion.

Note : Need to understand and mock-up sub-flows.

Other