2019-09-06

Shibboleth Developer's Meeting, 2019-09-06

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2019-09-20. Any reason to deviate from this?

60 to 90 minute call window.


Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.


AGENDA

Attendees:


Brent

  • IDP-1461 - Getting issue details... STATUS - Finishing up issue with port of VelocityToolboxView, the whole Tools API and architecture changed substantially in their 1.4 → 2.0 → 3.0. Otherwise close to done.


Daniel


Henri

  • Unable to join the call today due to traveling
  • Working on OIDC RP configuration via EntityDescriptor
    • New idea to exploit MetadataNodeProcessor + set up Nimbus objects to XML object metadata (Thanks to Scott)

Ian


Marvin


Phil

  • IDP-1476 - Getting issue details... STATUS  
    • Tested the affect of the HTTP-POST binding and SameSite=Lax cookie flag when using server-side consent and session storage (updated doc here IdP SameSite Testing)
      • SameSite=Lax will not send the shib_idp_session cookie in the initial POST request. However, SSO still works unless the list of beans in the  shibboleth.ClientStorageServices are removed - as the client storage read subflow and view-state are still executed and subsequent requests are mode same-origin (then including the shib_idp_session cookie). 
        • Takeaway, if deployer switched to server-side storage, they would also have to remove the shibboleth.ClientStorageServices beans, and the SP would need to issue a authN request using the HTTP-POST binding for SSO to break
    • Implemented a Servlet Filter for appending SameSite=None to configured cookies (ignoring any not configured or already with same-site set) (IdP SameSite Filter Implementation). 
      • Was a bit harder than I originally thought as the HttpSession identifier cookie (JSESSIONID) is set by the container, bypassing the servlet filter chain. So followed the same approach as the DynamicResponseHeaderFilter to capture attempts to write a response. 
      • Also identified a bug in spring-test which prevents the MockHttpServletResponse class from operating in a similar way to a container when setting cookie headers (https://github.com/spring-projects/spring-framework/issues/23512). They have fixed in the current snapshot - hence the test class is likely to fail inside current java-support. 


Rod

  • Failfast (IDP-1181)
    • Testing Ongoing
      • No great surprises except that RDBMSDataConnector would also benefit from a failFast property.
    • Case notes for more deta
    • Did we get closure on default settings?
  • Reviewing backports and bug fixes for 3.4.5
  • Started kicking the wheels on Java-driven install (currently stalled)


Scott

  • Generics cleanup is about done, a few unnecessary cases are left and a few that can't be fixed easily
  • Spring parent bean / property conversion bug - don't really have time to prepare an easily digestible test for this since our reloading layer isn't something they'd see as "normal"
    • Upshot is, be careful inheriting from global beans in reloadable services that rely on property conversion
  • Constructor research: system files should avoid named constructor arguments and/or convert to property usage to avoid accidents
  • Reviewing backports for 3.5.4


Tom

  • Revisiting browser tests

Other