Shibboleth Developer's Meeting, January 24, 2014

Call Details

Meeting URL: http://fuze.me/22924791

Toll / Intl #: +1 (201) 479-4595

Toll-Free #: N/A

Meeting Number: 22924791

Attendees:

Call Administrivia

10:00 Central US / 11:00 Eastern US / 16:00 UK

Dial-in attendee identification.

Next call is next Friday. Any reason not to meet ?

60 to 90 minute call window.

Brent

Daniel

Ian

Reorganized the dev call material in the wiki a little, it was getting unwieldy.

Spring Framework V4 transition:

Spring Boot 1.0.0 RC1 now out
Spring Framework 4.0.1 (bug fixes) expected Monday 27-Jan.
Spring Webflow 2.4 now delayed to 14-Mar (RC1 12-Feb).
- BUT v2.3.3 compatible with Spring Framework 4 expected Tuesday 28-Jan.
- See https://jira.springsource.org/browse/SWF-1600
- Already tagged on GitHub, presumably in QA now.
Sounds like we can switch later next week.

Moving from endorsed Xalan/Xerces to JDK-supplied JAXP implementation:

investigating this via a deep build of the ukf-mda and UKf tooling
pro: we wouldn't be dependent on shipping something from 2009
pro: recent security properties work
con: XPath/XSLT extension functions in Xalan namespace don't work
con: ordering constraint or resolver may be needed when building schema (investigating)
- should we implement a CatalogResolver to address this?

Rod

Apologies.

Tracking the C14N discussion and NameID generation stuff.

Scott

Redesigned how authn and subject c14n "connect" so it resembles configuring authentication itself
More flexibility, each login flow can potentially connect to >1 c14n flow
Allows SAML subject -> principal mapping process to be configured the same as login subject -> principal mapping
Would like to deprecate PrincipalConnector
Created a new NameIdentifierGenerator plugin API to move NameID generation out of resolver
Implemented a Default generator for SAML 1/2 that pulls data from attributes (String, Scoped, XMLObject) and builds a NameID
- will support any Format specified
- supports NameQualifiers and option to omit them if defaulted or not set
Plan is to build a multi-map of Format to Generator in subject-config.xml (name TBD)
- SAML actions will combine nameIDFormatPrecedence from profile config + SP metadata + SAML 2 NameIDPolicy to compute Format prefs
- try each Format, test Generator as Predicate to see if applies, try it if it does
- take first non-null result
Transient / Persistent can be done as dedicated plugins ideally, would like to move them into idp-saml-impl
Need to look at sharing code between legacy plugins for Transient/Persistent and new ones, seems like should be straightforward
Legacy generator to pull from NameIDEncoders from resolver results

Goal is to have a new Spring config to control all aspects of Principal/Subject mapping and translation, mostly about SAML now but eventually would include other techs as needed (or never touched again)

Tom

Somewhat at a stopping point with the SAML 1 flow, need guidance regarding inbound and message handlers.
Worked on flow "unit" tests, not sure if executing flows manually will be that useful, perhaps running a test SP and IdP via embedded Jetty will be.
Note about using bean "dev" profile in ipaddress-authn-config.xml
Question about SWF being "recursive"
Annotations as documentation-only for non-test code.
Comment on Fuze audio, going silent takes some getting used to.
Oh...now I understand, I think, why we had Services.

Other