Shibboleth Developer's Meeting, January 24, 2014

Call Details

Meeting URL: http://fuze.me/22924791

Toll / Intl #: +1 (201) 479-4595

Toll-Free #: N/A

Meeting Number: 22924791

Attendees: 

Call Administrivia

10:00 Central US / 11:00 Eastern US / 16:00 UK

Dial-in attendee identification.

Next call is next Friday. Any reason not to meet ?

60 to 90 minute call window.

Brent

Daniel

Ian

Reorganized the dev call material in the wiki a little, it was getting unwieldy.

Spring Framework V4 transition:

• Spring Boot 1.0.0 RC1 now out

• Spring Framework 4.0.1 (bug fixes) expected Monday 27-Jan.

• Spring Webflow 2.4 now delayed to 14-Mar (RC1 12-Feb).

  • BUT v2.3.3 compatible with Spring Framework 4 expected Tuesday 28-Jan.

  • See https://jira.springsource.org/browse/SWF-1600

  • Already tagged on GitHub, presumably in QA now.

• Sounds like we can switch later next week. 

Moving from endorsed Xalan/Xerces to JDK-supplied JAXP implementation:

• investigating this via a deep build of the ukf-mda and UKf tooling

• pro: we wouldn't be dependent on shipping something from 2009

• pro: recent security properties work

• con: XPath/XSLT extension functions in Xalan namespace don't work

• con: ordering constraint or resolver may be needed when building schema (investigating)

  • should we implement a CatalogResolver to address this?

Rod

Apologies.  

• Tracking the C14N discussion and NameID generation stuff.

Scott

• Redesigned how authn and subject c14n "connect" so it resembles configuring authentication itself

• More flexibility, each login flow can potentially connect to >1 c14n flow

• Allows SAML subject -> principal mapping process to be configured the same as login subject -> principal mapping

• Would like to deprecate PrincipalConnector
  
  

• Created a new NameIdentifierGenerator plugin API to move NameID generation out of resolver

• Implemented a Default generator for SAML 1/2 that pulls data from attributes (String, Scoped, XMLObject) and builds a NameID

  • will support any Format specified

  • supports NameQualifiers and option to omit them if defaulted or not set

• Plan is to build a multi-map of Format to Generator in subject-config.xml (name TBD)

  • SAML actions will combine nameIDFormatPrecedence from profile config + SP metadata + SAML 2 NameIDPolicy to compute Format prefs

  • try each Format, test Generator as Predicate to see if applies, try it if it does

  • take first non-null result

• Transient / Persistent can be done as dedicated plugins ideally, would like to move them into idp-saml-impl

• Need to look at sharing code between legacy plugins for Transient/Persistent and new ones, seems like should be straightforward

• Legacy generator to pull from NameIDEncoders from resolver results

Goal is to have a new Spring config to control all aspects of Principal/Subject mapping and translation, mostly about SAML now but eventually would include other techs as needed (or never touched again)

Tom

• Somewhat at a stopping point with the SAML 1 flow, need guidance regarding inbound and message handlers.

• Worked on flow "unit" tests, not sure if executing flows manually will be that useful, perhaps running a test SP and IdP via embedded Jetty will be.

• Note about using bean "dev" profile in ipaddress-authn-config.xml

• Question about SWF being "recursive" 

• Annotations as documentation-only for non-test code.

• Comment on Fuze audio, going silent takes some getting used to.

• Oh...now I understand, I think, why we had Services.

Other