Shibboleth Developer's Meeting, 2019-10-18

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2019-11-01. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

• (Rod) Do we want to make a bunch of "not expected to be extended" classes final in V4 - its out last chance.  Examples are IdPAttribute and AttributeResolver

• Status/completeness of SAML SSO profile validation logic in OpenSAML

  • Looks like it's used in the delegation work

Attendees:

Tom, Henri absent

Brent

• Just back from vacation, nothing significant to report

Daniel

Ian

• Quick update on Oracle Java 8 change 

Phil

• Close (hopefully) to understanding CSRF mitigation across 'all' view-states

  • Overview here (CSRF FlowExeuctionListener testing, all views overview)

  • CAS views (CSRF FlowExecutionListener testing for CAS)

    • Is fine with small modification to logout propagation view (although probably best excluded)

  • Aim to finish ASAP.

• Next tidy up some of the code

• Then let people decide if this is something they want.

  • If so, need to look at automated integration tests - existing ones, to check any breakage

  • Any new tests to exercise the CSRF listener (unit and integration)

Rod

• IDP-1499 - Getting issue details... STATUS

  • Code freeze soon, then loads of testing.

  • Any other customizations?

Scott

• OSJ-287 - Getting issue details... STATUS

• IDP-1494 - Getting issue details... STATUS

  • MVC discovery / changes

  • Nested PRC design is convoluted but working (PRC → AC → PRC)

  • AuthnRequest being issued and response decoded by controller

    • POST only at the moment

  • Remaining work is on validation/attribute extraction half of flow, and polishing/extending request capabiilities

Other