2021-11-05
Shibboleth Developer's Meeting, 2021-11-05
Call Administrivia
09:00 Central US / 10:00 Eastern US / 14:00 UK / 16:00 FI Note unusual time this week due to DST changes
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2021-11-19. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
@Ian Young JPAR-195: Review and simplify release profileOpen
@Rod Widdowson @Philip Smart Site builds (which generate java doc and run weekly) x Nightly builds (which consume javadoc) x version revision == broken nightlys
Maven Central Repository - see my (Tom) section below for details - do we want to :
(a) publish our repo URL in the POM and maintain long-term / forever-ish ? in a profile not activated by default ?
or (b) remove from POM and publish our repo URL in the wiki as documentation for developers to add to ~/.m2/settings.xml ? (that’s my suggestion)
Quick q: did/do we intend to remove the jvmTrust option for LDAP authentication?
Quick item I will be taking to the Board
Add items for discussion here
Attendees:
Brent
JSATTR-6: SAML AttributeQuery DataConnectorOpen
Working on putting together the lower-level bits for the attribute query, based on work we did for artifact resolution
Daniel
Henri
JOIDC-21: Use token authentication for OIDC dynamic client registrationClosed
Quite a few iteration rounds of metadata policy resolution with the new resolver structure in oidc-commons
Finally an initial version of the extended dynamic registration profile configuration with metadata policy resolved from a file (wired together via postconfig.xml)
Will create new (sub)tickets to oidc-commons and OP regarding this metadata policy concept
Ian
John
Slowly getting back into the Fargate/Jenkins work
Looking into possible yum-related improvements to avoid repeated contacts to upstream repos
Marvin
Phil
Still JCOMOIDC-23: Add OpenID Provider Configuration Document ResolverOpen
Implemented a number of changes thanks to feedback from @Henri Mikkonen .
He has some very early success using it for Metadata Policies.
Is messy to XML-wire given all the strategies and how general it is, but parent bean config helps.
Made small steps with OIDC-RP.
Will have lots more time w/c 15th Nov. for the foreseeable.
Rod
Busy elsewhere
OpenSSL3 https://shibboleth.atlassian.net/browse/SSPCPP-946 & testing
Next stage sig checking- work mostly understood. Pending JPAR-195: Review and simplify release profileOpen
Questions about IDP-1877: Allow ByReference filter to apply to multiple providersClosed
Scott
Santuario release done (and done again)
Bumped log4shib to fix some modern compiler issues
Most of SP work is done unless I can think of something else to actually deprecate (vs. all the stuff I really want to deprecate)
Tested cpp-linbuild process successfully
IdP odds and ends
Tom
Maven Central :
Looks like we will not publish artifacts to Central due to indemnity clause in ToS :
Priority is to firewall our Nexus instance and host our repo via Apache at :
https://build.shibboleth.net/maven
for backwards compat with our POMs will need to redirect
https://build.shibboleth.net/nexus/content/groups/public
to
https://build.shibboleth.net/maven/releaseshttps://build.shibboleth.net/nexus/content/repositories/snapshots
to
https://build.shibboleth.net/maven/snapshotshttps://build.shibboleth.net/nexus/content/repositories/thirdparty-snapshots
to
https://build.shibboleth.net/maven/thirdparty-snapshotsand remove thirdparty/ when “Rod’s Rules” are in place
As to whether someone else publishes to Central (for us), I think they would need to indemnify us but we do not really exist (as a legal entity).
Looking for confirmation - technical details in the agenda above.Making some progress running Nexus/Jenkins in ECS/Fargate using Docker Compose (which wraps CloudFormation) - is that ok ?
Plan is to use docker-compose.yml as infrastructure-as-code, open to alternatives (awscli, AWS console, Terraform) but this seems simplest / easiest.
Working through IdP browser tests in Jenkins with Jetty 9.4 versions (a) up to 9.4.43 as well as (b) 9.4.44 and up (conditional build step to inject idp-jetty-base version)
Other