Shibboleth Developer's Meeting, 2019-09-20

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday Oct-04. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.


  •  (brought forward)
  • Spring parent bean / property conversion bug.  What do we do about constructors with named parameters in the face of this bug.
  • Sanity check on redesign/fix for External login flows



    • Re-organized and fleshed out missing unit tests.
    • Sorting out changes to Tools 1.4 → 3.0 for changes to VelocityToolboxView  and friends.



  • Progress with the OIDC/SAML metadata work
    • Plugin's flows to support both ClientInformationResolverService and MetadataResolverService - clearly simplest for the current deployers


  • Java 13 build 33 (the first RC build) has become the GA version. No compatibility issues for us, but one feature that deployers may want to take advantage of.
  • Working on API consistency in the MDA beans: 



  • Tried to get some clarity on if and when browsers would support the SameSite=Lax by default and SameSite=None only with secure flag Google IETF draft ('Incrementally Better Cookies'). Added a table to IdP SameSite Testing, but needs a bit more digging as things progress. 
  • Have gone back to CSRF synchroniser token support testing
    • Tested with MFA using Password and Duo flow. Works fine as token can be placed inside the 'duo_form' - and correctly breaks without it.
    • Thinking it through with the External Authn flow. Not as easy (but just started) as token needs to be available in the session for an external servlet to grab and use (in some appropriate way), then present in the final redirect back to webflow. OR, the ExternalTransfer could be ignored by the listener, and no CSRF protection available for external authn servlets.
      • Maybe it needs to be part of the ExternalAuthenticationAPI - not sure yet.
      • Possibly unlikely to work with the redirect back from the external servlet without a new mechanism to test the token.
  • Said I would help Tom with SameSite selenium tests - but as of yet I have not got back to him.


  • Fail fast (and on, and on, and on)
    • Going to ignore the IdPPropertiesApplicationContextInitializer this.  Its only for tests and only used in CAS.  
      • Do we need to document it?  Or mark it internal?
    • Rename failFast to failFastInitialize for data Connectors (new attribute except for StoredId).providers? That's
    • Deprecate the LDAPConnectorPool failFastInitialize with a default of true (let that be caught in LDAP
    • Review old cases for regressions (and inspiration).
  • Installer: see   for details
    • Hating the whole "interact with the user thing".  
    • I18N ?
    •  - Do we think we need this?
    • Note we have a one off chance to change property names in V4, 
  •  Thanks to Scott I have a sensible approach.  


  • Security issues
  • SameSite filter
    • added to V3 as a placeholder in case its needed
    • configured, currently applying to all cookies, for V4 web.xml
  • Early progress on proxy login flow, starting on SAML support


  • Still working on browser tests