/
2019-11-01

2019-11-01

Jul 29, 2021

Shibboleth Developer's Meeting, 2019-11-01

Call Administrivia

09:00 Central US / 10:00 Eastern US / 14:00 UK / 16:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2010-11-15. Any reason to deviate from this?

60 to 90 minute call window.

 

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

 

AGENDA

  • @Ian Young

    JPAR-140 - Getting issue details... STATUS
     summary

Add items for discussion here

Attendees:

 

Brent

  • Looking at Scott's SAML proxy flow stuff.  Will probably have detailed questions soon.

    • Testbed

      • Jetty 9.3 vs 9.4 - prefer or recommend one or the other?

      • Eclipse requirements? The Jetty 9.4 wiki page mentions Eclipse 2019-06 - is this a hard requirement?

 

Daniel

  • LDAPDataConnector updates for ldaptive

Henri

  • The OIDC plugin certification finally completed, see https://openid.net/certification/#OPs

  • Worked on the ways to configure RP's public keys into SAML metadata, currently three ways:

    • via RoleDescriptor/KeyDescriptor (using OpenSAML's InlineX509Provider and RSAKeyValueProvider)

    • via (custom) RoleDescriptor/JwkSet -element: contents expected to be base64-encoded JWK

    • via (custom) RoleDescriptor/JwkSetUri -element: URI to the endpoint where JWK can be fetched

  • Next release (v1.1.0) targeted before TechEx

    • The GÉANT BSD license will be switched into Apache 2.0

Ian

 

Marvin

 

Phil

  • Finished testing all views when CSRF protection enabled - CSRF FlowExeuctionListener testing, all views overview

  • Cleaning up implementation Anti-CSRF FlowExecutionListener Implementation. Not quite my best effort yet, but pushing it to (git@git.shibboleth.net:philsmart/java-identity-provider branch feature/anti-csrf-flowlistener) for review by an interested party.

    • Questions

      • Currently, if enabled, affects all views unless they are excluded. As this will be disabled by default, risk that changes that appear to work will break when enabled (which a deployer may have chosen to do). Is it best to use includes views over excludes.

        • Would need to ensure good integration tests for view. 

        • Not as tight security wise, but the IdP has a low risk of CSRF anyway...

      • I need to be clear which views are going to be included (although is in the big table above, probably needs better communication).

      • If deemed usable, how does this get fitted into the IdP e.g. requires changes to views in addition to system config.

 

Rod

  • IDP-1499 - Getting issue details... STATUS
      (and related) Just needs testing

  • IDP-1516 - Getting issue details... STATUS

  • LDAP test failures in eclipse..  Status?

 

Scott

  • IDP-1511 - Getting issue details... STATUS

  • IDP-1494 - Getting issue details... STATUS

    • Work progressing on production of authentication result, implications on subject c14n, additions needed to support obvious use cases

      • Considering generic extension point to turn Assertions into arbitrary IdPAttribute data to include

    • Inbound filtering seems to hold up (issuer is proxied IdP, requester is proxying IdP)

    • Starting to hit the interesting questions, e.g. when did authentication take place re: lifetime for SSO in IdP

Tom

Other