Development Blog
Scott Cantor provides monthly updates on the state of the project, ongoing work, upcoming releases, and any other information worthy of note.
The latest feature update to the OIDC OP plugin is available and contains some significant bug fixes along with the first iterations of DPOP and PAR support (for those tracking all the new-ish RFCs out there, an ever-growing list). We’ve donw quite a bit of work internally on automating the process of running the OpenID conformance suite and integrating the plugin into our testing infrastructure. The next big development cycle will include the initial work on OpenID Federation,…
Short update as we’re all just working “heads down” at the moment.
We’re still working to release the WebAuthn plugin and the next update to the OIDC plugin, but a number of bugs and suggestions have continued to pop up during testing, so that’s generally a good thing.
We have a few significant bug fixes queued for IdP V5.2 but nothing of particular urgency so I don’t know if a release of that is likely before next year or not.…
Firstly, a reminder that IdP V4 has reached EOL as of last week. There will be no further updates to the old branch regardless of any issues that arise.
Secondly, a notable issue was “revealed” by a bug fix included in V5.1.3. The OIDC OP plugin depends on the Nimbus library and we discovered a bug in the library that impacts our software’s ability to properly issue responses that causes cookies we set to go missing. This manifests, generally,…
A short update on various tasks in progress…
Firstly, a reminder that IdP V4 will be EOL as of September 1, just a couple of weeks off. There likely will not be another V4 patch at this point, barring something serious.
We discovered a fairly serious bug warranting an IdP V5 patch release, so that was completed. It was not a security issue,…
In between various summer vacations, work has continued on a number of fronts this summer.
The Duo plugin upgrade adding dedicated single-factor passwordless https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3360686194 support is now available.
The WebAuthn https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3395321933 plugin has reached beta status while work continues on a few final additions such as better auditing support. With the plugin largely stable now,…
April saw the planned release of the latest round of OpenID Connect plugin minor upgrade (per OPReleaseNotes and OIDCRelyingPartyAuthnConfigurationReleaseNotes). The most significant addition is probably the first release of logout support in the OP, which is designed to integrate into the IdP’s existing logout framework for SAML SPs. The plugins are designed to be compatible with both V5.0 and V5.1 to make upgrades simpler for people on different patching cycles.…
Since the previous update, we have shipped the IdP V5.1 update, and a V5.1.1 patch to address a Spring issue announced the day after and a couple of regressions. Regressions are never fun, but they were pretty minor and the update has been otherwise a non-event, which is always the goal.
Because of the Spring issue, we were forced to go ahead and issue a V4 patch update as well, which is likely to be the “if we have to, we will” final rollup release of that branch.…
Short update ths month focusing on schedules.
The next IdP update to V5.1 is planned for this week, along with the usual supporting library updates. This is a fairly significant minor update, though not on par with V4.1, but should be a routine patch for most deployers. There are a few “changes automatically” behaviors, so please do review the Release Notes while testing. As is the norm, V5.0 will be unsupported after this release as V5.1 becomes the current stable version.…
Unsurprisingly we’re a bit delayed on the next planned set of releases due to a certain amount of scope creep along with a general lack of urgency as most of what we’re doing right now is new work, not really bug fixing. Late February is still a target for V5.1 of the IdP, but that’s speculative due to a few smaller items we have in progress. We have no plans right now to require that upgrade for any of the plugin work we have in flight,…
We are (mostly) back from holidays and back at it. The plan is still to target late January for the next set of releases but we have some work going on that might benefit from further IdP enhancements so we’re staying flexible, and there is no particular urgency right now.
I’ve covered most of this before, but the active work right now consists of:
IdP/OpenSAML 5.1, relatively small enhancements along with bug fixes for the couple of regressions raised since 5.0 was released.…
Work continues to finish the backlog for the release of IdP (and OpenSAML) V5.1. As we approach the holidays, we expect to hold off finishing these releases until January to give us a bit more time to add features and avoid a crush around vacations. These are minor upgrades (and patches) that are definitely not comparable to the significant changes that occurred in V4.1. The new work is largely documented at this point (UserInterface for the CSP changes,…
The last month has primarily been continuing the post-release work I mentioned last month. We have landed the feature branches that were being worked on for what will eventually be IdP and OpenSAML V5.1 and are on track to deliver those either in December or early next year, primarily based on what other bug reports or requests come in that fit the time scale or are serious enough to need addressing.…
The IdP (and OpenSAML) V5 release was completed on schedule last month ahead of TechExchange, though with a fair number of bumps due to the refactoring work and the increased number of projects to release, including all of the plugins. Some glitches aside, the software release went fine (with a notable exception) and we have not gotten much in the way of bug reports so far. One did come in today,…
The past month has been spent getting betas of the IdP and all our plugins available for testing and getting ready for the V5 release, which is expected to occur over the course of this week. Nothing significant has come up while testing, though thanks to a member reporting a problem when Duo fell over a couple of weeks ago, we identified what is probably an HTTP connection leak that happens mainly when certain kinds of connection failures occur. That’s been fixed for the release obviously.…
It’s been a couple of months since the last update for the usual summer slowdown reasons, but work has been ongoing to get through the IdP backlog, get the installers in shape, and complete some internal testing so we could get a beta http://shibboleth.net/pipermail/announce/2023-August/000298.html released, which we did last week. Paul Caskey kindly worked on a TAP container build for the beta as well.
Reiterating some of the basics:
You need Java 17 and Jetty 11 or Tomcat 10.1 to run V5.…
The first release of the “combined” OIDC stack was completed last month, spanning 4 plugins, a common library, a shared configuration plugin, and the OP and RP plugins. The new design was necessary to allow sharing of the required code and internal system objects that are common to both use cases. The SAML proxying support would have necessitated a similar kind of approach had that not all been already part of the IdP core,…
Work is complete on the next version of the OP plugin and the first version of the RP proxy plugin and the releases are imminent, probably this week. A ton of effort has gone into these releases, with a large amount of code refactoring to polish some rough edges in the original OP code base and to facilitate the necessary overlap between the two by moving code out of the OP and into the OIDC Commons plugin.…
Most of the last month has been taken up by the continuing audit of the code base (OpenSAML chiefly now) for unstated or incorrectly expressed null constraints to tighten up the code and address various lurking bugs and inconsistencies. These kinds of changes often involve subtle changes to the public API so they have to be done in major releases, and so we have limited windows to do this sort of cleanup. One of the open questions is what to do with the XACML code in the library,…
Following on from February, I have been primarily working on refactoring code into a new java-shib-profile project, the third new library in between OpenSAML and the IdP. Of late, we’ve also been discussing the possibility of migrating some of the OpenSAML “implementation” classes that pertain to the IdP to reduce the size of the that library and migrate out code that is largely unique to our projects. In the meantime,…
The only exciting? news for this month is just that I’ve gotten back to working on the SP redesign in earnest for the first time in a few months. With IdP 4.3 released and work essentially complete on that branch, attention turns back to the main branch and is more about what the SP needs from the IdP code base than actively working on the IdP itself.…
We are back from the holiday break and back at it.
I released a quick-turnaround SP V3.4.1 patch this evening, primarily as a vehicle to distribute a precautionary change to our libraries to block the primary attack vector that led to the advisory against the Java side of the project a couple of weeks ago. I spent a number of hours testing and analyzing code and while I concluded that for a few reasons, some accidental, the SP is not vulnerable to the exact issue reported,…
Last update of 2022, it’s been a busy (if not so visibly busy) year for the project with a lot of technical debt work as we prepare for another major transition with the IdP. I hope those able to attend the Internet2 conference last week had a good meeting and got back safe and healthy, sorry to have missed it. I guarantee you all had a better time than I did debugging Spring XML Schema handling. Thanks to Phil Smart for covering for me and presenting the usual updates.
On the release front,…
Relatively short update this month, as we’ve mostly just been continuing with existing work projects.
The OIDC feature update should be out shortly, just some final cleanup work left to do in cooperation with partners working on new functionality separately for eventual inclusion in our code base. A testable snapshot of the OIDC RP plugin is available as development on that wraps up. See http://shibboleth.net/pipermail/dev/2022-October/011027.html http://shibboleth.…
The initial Java code refactoring of the IdP code base is complete and the new repositories are now in a stable state (i.e, we’re not changing them in ways requiring re-cloning). The two primary goals of this work were:
Migrate substantial portions of functionality out of the IdP so that it can be leveraged by the SP, including the metadata, attribute resolver, and attribute filter services and configuration.…
Work has continued over the last month on the “big refactoring” of the Java code base targeted at V5 and in support of the next-gen SP work. The current phase of work consists of turning the monolithic (and poorly named) java-support and spring-extensions projects into a new java-shib-shared multi-module project containing a number of new (often small) modules. In addition to better file naming and code organization,…
Lots of vacations and other interruptions lately so this is a short update. Following on last month, work continues on code reorganization and refactoring. That’s not terribly exciting but is ongoing.
In parallel, some new work is being done in anticipation of an IdP V4.3 release, either late this year or early in 2023. This will allow us to ship a small number of in-demand features that require core changes,…
The last month has seen some additional plugin releases, and substantial progress on refactoring the code base in preparation for IdP V5 and SP development.
Another new OP feature update has been released as we continue to focus a lot of effort on extending the OIDC/OAuth feature set. The OP now supports JWT access tokens for all supported grant types, though full OAuth support for non-OIDC clients is not yet finished at this point (it should be in the next feature drop),…
Work has continued over the last month on all of the roadmap items I noted in the May update.
The OIDC RP work continues, primarily with a focus on redoing the way we handle signing and encryption for JWTs to match the APIs we use in OpenSAML for SAML, which we will be using in the RP plugin, and eventually migrating over to the OP plugin once the work is done. This will add a few features such as equivalent support for allow/deny lists of algorithms,…
With IdP V4.2 released, I’ll focus on two topics this month: what’s actually new in this release, and what the active projects are for the remainder of this year (the roadmap is also updated in this regard).
A third topic is just to point out that Jetty 9.4 is now in commercial support mode, which means it will get critical fixes only for a few years. Anyone using it should be moving to Jetty 10.
4.2 Highlights
The main purpose of the 4.…
Well, all the IdP 4.2 and related releases would be done at this point except for the Spring vulnerability from last week throwing a wrench into things. We put everything on hold at that point while we waited for official word and then needed that whole day to research the issue and produce a 4.1 patch out of caution; it’s still our belief that the vulnerability appeared to be limited to a data binding feature that we don’t use,…
Short update this month.
Work is wrapping up on the IdP V4.2 and OIDC OP plugin V3.1 feature releases. We expect to freeze within the next couple of weeks and should be shipping in late March / early April. Documentation is available on the new OAuth and client authentication features. The OP update will also include support for token-based dynamic client registration.…
The last month included a couple of patch releases, to the IdP and the OP plugin, the latter a security fix https://shibboleth.net/community/advisories/secadv_20220131.txt of which all deployers should take note. Work continues in parallel on the active work streams and we should be able to ship IdP V4.2 and the updated OP plugin this quarter as planned.…
All projects were impacted to some degree by the log4shell vulnerability, which triggered a wave of questionable bug reports to a lot of logging libraries and a lot of triaging and threat assessment. The Shibboleth Project migrated away from log4j a long time ago so was not directly impacted by the mess, but we kept tabs on discussions around a supposed logback vulnerability that didn’t really turn out to be one. Nevertheless the maintainer acted conservatively and issued a CVE https://cve.…
Since the last update, we have released the SP V3.3 update, migrated to the new SP packaging process, reached a significant milestone in our supply chain security work, and have advanced or started work on a number of OIDC/OAuth enhancement projects.
The SP update so far has resulted in one minor bug report (an accidental deprecation warning). The new packaging process worked great and saved several hours of hassle getting the RPMs out,…
All of our active work streams have been continuing over the last month.
SP V3.3 is nearing ready to ship, with all of the dependent work on libraries done. We plan to ship it with OpenSSL 3.0 on Windows in order to ensure adequate exposure to that version. There were essentially no code changes needed except for a very small fix to another library so we don’t expect much trouble. Future versions are a bigger concern because of the number of deprecated functions we’re using,…
This month is just a short update on current work in progress noted during the previous updates.
As of yesterday, the remaining self-hosted core project infrastructure has been migrated off of CentOS and on to a Rocky Linux server. We’ll be watching for problems but so far, so good. This relieves some immediate time pressure in terms of sunsetting tools but documenting everything remains an ongoing task for the rest of this year.…
The Jira migration was completed last month and we have (we hope for good) taken down the old Atlassian services. This was a time-consuming but ultimately necessary project, and while losing federated access is unfortunate it will certainly mean less upkeep for us in the long run. Getting people access has been a little bit of extra work, but doesn’t seem to impose much of a barrier for anybody so far.…
The bulk of this month was consumed with a couple of bug fixes and the continued Atlassian migrations, along with a number of vacations. The wiki migration is essentially complete at this point but has been much more trouble than anticipated because of subtle, often undocumented gaps between the Server version and the Cloud version, particularly once content is converted to their newer format.…
The major work item this month was to begin the Server to Cloud migration of Confluence and Jira. This is arguably premature given that we have a couple of years before we have to do this, but the Server installs were starting to become a problem during upgrades and getting it out of the way seemed to be the prudent thing to do. If you’re reading this, you are of course doing so on the Cloud instance,…
Two months worth of updates to catch up on and there is a lot to report on.
After waiting another few weeks to work out some plugin issues, we shipped the first patch for V4.1 last month. This is V4.1.2 rather than V4.1.1 because one of us luckily discovered a problem with the release after we were done with it. It was traced it to a Maven "behavior" we're still working through but we have a better idea what to watch for and will be working on some automated checks to prevent a recurrence.…
The IdP 4.1 release was of course completed last month and has been a success so far, though it's early. Only one major regression has come to light and it's relatively easy to work around for now. I'm in production with it since last week without any problems so far. I posted a how-to documenting what I did to clean up my system after I did the upgrade. I did do this work prior to my MTP of the upgrade,…
We are running about two weeks behind the planned schedule for IdP V4.1, so the code freeze is expected at the end of this week and a release of the IdP and all associated plugins following about 10 days later around March 24th. The one hitch in this plan is that there is optional i18n functionality that depends on a Spring Framework bug fix so we're waiting on that release in mid-March and have to have enough time to test it in order to make our schedule.…
Work has continued on IdP 4.1 and all of the planned extensions with an eye on freezing the code around the end of February so we can hit a March release of all of these components. A few small issues remain but for the most part we're close to feature complete and are working this week on getting alpha versions of everything released and posted so we can begin to test in earnest, particularly all of the new plugin and module installation functionality.…
The project had a productive holiday period, with a fairly unprecedented three software releases done in one week, IdP V3.4.8, SP V3.2.0, and xmlsectool V3.0.0. We also launched a new web site https://www.shibboleth.net/.
V3.4.8 was of course the final IdPv3 release and the branch is nominally closed. We may backport some fixes if circumstances warrant for those wanting to continue maintaining their own builds,…
The slides presented at CAMP a couple of weeks ago are attached.
Since the last update, a draft of the documentation on the new IdP plugin system has been put together, and we are starting to build snapshots of the current round of plugins to test installation and upgrades.
Work continues on the OIDC plugin configuration and much of the manual work to install it has been eliminated, and additional improvements to bring things in line with existing system conventions are still coming.…
Over the last month we have been working towards wrapping up work on IdP V4.1. There's still a lot left to do, but the end is at least visible and we are still targeting a Q1 2021 release. As I have said before, any notion of a V5.0 has been deferred more or less indefinitely until there are technical/platform/Java motivations for doing one.…
In the last month, the APIs and design of the new IdPModule and IdPPlugin features have firmed up and we have completed converting all of the "likely" candidates for modularization in the core feature set. Much of the XML configuration across the admin, login, interceptor, and c14n flows have been reduced or eliminated in a backward-compatible way in favor of properties for most simple settings,…
September included a Windows patch to the SP and some significant fixes for (uncommon, so far) issues with the HTTP stack in the IdP. The latter are not expected to ship unless they cause more trouble until more critical bug fixes warrant a new patch.
Over the last month's work on IdP 4.1, much of the supporting work to make the new plugin framework useful has been completed and we have been able to address most of the manual configuration challenges of adding new flows to the system.…
We have continued to work on the new IdP plugin framework and are nearing feature completion on several of the first round of plugins we're building, which I mentioned in last month's update. The new Duo plugin in particular will require some time to polish and complete but the bulk of the new work is done.
The major remaining tasks center around completing the plugin framework itself and testing all of that, plus significant changes to some of the IdP's core configuration approaches,…
Work over the past month has included:
Research into some complex bugs and behavior that were in the backlog.
Progress on some of the more complex work scheduled for V4.1
Work to cleanup and stablize the MDA API for the eventual 1.0 release of that software.
The recent Comodo CA expiration resulted in the observation that the IdP's behavior in the case of LDAP and HTTPS certificate evaluation was different (an expired trust root worked for LDAP, but failed for HTTPS).…