2019-11-01

Owned by Ian Young
Last updated: Jul 29, 2021
2 min read

Shibboleth Developer's Meeting, 2019-11-01

Call Administrivia

09:00 Central US / 10:00 Eastern US / 14:00 UK / 16:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2010-11-15. Any reason to deviate from this?

60 to 90 minute call window.


Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.


AGENDA

Add items for discussion here

Attendees:


Brent

  • Looking at Scott's SAML proxy flow stuff.  Will probably have detailed questions soon.
    • Testbed
      • Jetty 9.3 vs 9.4 - prefer or recommend one or the other?
      • Eclipse requirements? The Jetty 9.4 wiki page mentions Eclipse 2019-06 - is this a hard requirement?


Daniel

  • LDAPDataConnector updates for ldaptive

Henri

  • The OIDC plugin certification finally completed, see https://openid.net/certification/#OPs
  • Worked on the ways to configure RP's public keys into SAML metadata, currently three ways:
    • via RoleDescriptor/KeyDescriptor (using OpenSAML's InlineX509Provider and RSAKeyValueProvider)
    • via (custom) RoleDescriptor/JwkSet -element: contents expected to be base64-encoded JWK
    • via (custom) RoleDescriptor/JwkSetUri -element: URI to the endpoint where JWK can be fetched
  • Next release (v1.1.0) targeted before TechEx
    • The GÉANT BSD license will be switched into Apache 2.0

Ian


Marvin


Phil

  • Finished testing all views when CSRF protection enabled - CSRF FlowExeuctionListener testing, all views overview
  • Cleaning up implementation Anti-CSRF FlowExecutionListener Implementation. Not quite my best effort yet, but pushing it to (git@git.shibboleth.net:philsmart/java-identity-provider branch feature/anti-csrf-flowlistener) for review by an interested party.
    • Questions
      • Currently, if enabled, affects all views unless they are excluded. As this will be disabled by default, risk that changes that appear to work will break when enabled (which a deployer may have chosen to do). Is it best to use includes views over excludes.
        • Would need to ensure good integration tests for view. 
        • Not as tight security wise, but the IdP has a low risk of CSRF anyway...
      • I need to be clear which views are going to be included (although is in the big table above, probably needs better communication).
      • If deemed usable, how does this get fitted into the IdP e.g. requires changes to views in addition to system config.


Rod

  • IDP-1499 - Getting issue details... STATUS   (and related) Just needs testing
  • IDP-1516 - Getting issue details... STATUS
  • LDAP test failures in eclipse..  Status?


Scott

  • IDP-1511 - Getting issue details... STATUS
  • IDP-1494 - Getting issue details... STATUS
    • Work progressing on production of authentication result, implications on subject c14n, additions needed to support obvious use cases
      • Considering generic extension point to turn Assertions into arbitrary IdPAttribute data to include
    • Inbound filtering seems to hold up (issuer is proxied IdP, requester is proxying IdP)
    • Starting to hit the interesting questions, e.g. when did authentication take place re: lifetime for SSO in IdP

Tom

Other