/
2013-08-16

2013-08-16

Aug 16, 2013

Shibboleth Developer's Meeting, August 16, 2013

Attendees: Brent, Ian, Marvin, Rod, Scott, Tom

Call Administrivia

Dial-in attendee identification.

Next call is next Friday. Any reason not to meet ?

60 to 90 minute call window.



Brent

Deep in metadata resolver redesign and impl. Existing providers have been refactored in a coarse way to the new resolver API.  Removed the old metadata credential caching bits, to be replaced by a new mechanism which caches the resolved creds directly on the relevant XMLObject via new "object metadata" API (or other name TBD).

A lot of metadata support design discussion this week on the dev list.  At this point I've warmed to the idea of doing some amount of pre-processing in the batch-oriented resovlers, at least for entityID indexing and converting EntitiesDescriptor/@Name data to a representation on EntityDescriptor.  Now also have general working idea about how to handle Extensions, via a plugin interface.

 

Daniel

Out today.

Ian

 

Rod

Nothing to report.  NOTE I'm going to be away (business travel/vacation/conference) on and off from Tuesday until 10/17.

Scott

Reimplemented SubjectCanonicalizer code as a context-driven webflow. Redesigned the later stages of authentication to bridge to a SubjectCanonicalizer subflow and back to complete the process. Updated the authentication design page with new summary of the steps involved.

Rest of time spent designing a new approach to handling requested authn methods that addresses a lot of constraints with current code and some problems with my early design. All of it is general to any protocol, not just SAML.

Work done:

  • designed a predicate factory and registry approach to plugging in rules for evaluating whether a "thing" supports a requested authentication context class or declaration

  • the "things" we need to examine for support are called PrincipalSupportingComponents, and include flow descriptors, results, and validation actions (the things that actually do credential checking for login)

  • implemented predicate factories for exact matching (all that V2 does) and inexact matching (handles SAML "minimum", "maximum", and "better" operators)

  • built a new context subtype for capturing requested authentication details from the AuthnRequest

  • reworked validation action base class to do a preExecute check for whether the action supports one of the requested authentication types (if the SP requests any)

Work left:

  • redo SelectAuthenticationFlow properly to use Predicates to evaluate flow descriptors and results before using them

  • unit tests

  • Spring examples and testbed testing

  • JSP-based login form support

Tom

This week started off with IP-307 "Move attribute mapper from idp-attribute-filter to new module", which is done in my local workspace. Two distractions : the first is idp-metadata and the second is testng. Also, was out for a couple of days with appointments, and it looks like the month long infrastructure outage is resolved, there was like 80% packet loss at the upstream node.

I was wondering where to move RequestedAttribute, and decided I should make the class Javadoc more verbose so I remember that it is metadata, since the class is not in a package nor module with the word "metadata" in it. That led me to IDP-302 "Verify and document proposed metadata provider work", because all I know is what was posted to the dev list those three years ago.

My suggestion is to move the CompositeMetadataResolver to OpenSAML, IDP-299,  and then delete idp-metadata-api, unless there is some reason why we need a metadata module in IdPv3 and I do not see one at this time. I think Resource based MetadataProviders are okay, especially for extensibility.

Oh, I did update the Configuring Eclipse wiki page with tips on how to install Subversion 1.7 via MacPorts, the instructions there are not totally correct but close enough.

Finally, I got my local workspace mostly correct with regards to idp-attribute-mapper, but there was no one- or two-click way to run unit tests within Eclipse and without using mvn from the command line. So I spent a little time looking at testng xml suite definitions, and I think I can get it working so we can run tests inside Eclipse, sheesh.

Rod : could you update the description for the new Attribute Mapper Component in JIRA, please ? Otherwise I will read the Javadoc and figure it out.

TL;DR Mostly about metadata, attribute-mapper, testng.

Anyone : what is the largest metadata we support ?

Note : Rod is going to keep point on Resources, for when he returns. Added subtask IDP-308 "Review and conclude Resource discussion" to IDP-298 "Review Resources and their use", to follow up on Columbus discussion.

Note : Need to understand and mock-up sub-flows.

Other