Development Blog

Scott Cantor provides monthly updates on the state of the project, ongoing work, upcoming releases, and any other information worthy of note.

March 2024 Update
Short update ths month focusing on schedules. The next IdP update to V5.1 is planned for this week, along with the usual supporting library updates. This is a fairly significant minor update, though not on par with V4.1, but should be a routine patch for most deployers. There are a few “changes automatically” behaviors, so please do review the Release Notes while testing. As is the norm, V5.0 will be unsupported after this release as V5.1 becomes the current stable version.…
February 2024 Update
Unsurprisingly we’re a bit delayed on the next planned set of releases due to a certain amount of scope creep along with a general lack of urgency as most of what we’re doing right now is new work, not really bug fixing. Late February is still a target for V5.1 of the IdP, but that’s speculative due to a few smaller items we have in progress. We have no plans right now to require that upgrade for any of the plugin work we have in flight,…
January 2024 Update
We are (mostly) back from holidays and back at it. The plan is still to target late January for the next set of releases but we have some work going on that might benefit from further IdP enhancements so we’re staying flexible, and there is no particular urgency right now. I’ve covered most of this before, but the active work right now consists of: IdP/OpenSAML 5.1, relatively small enhancements along with bug fixes for the couple of regressions raised since 5.0 was released.…
December 2023 Update
Work continues to finish the backlog for the release of IdP (and OpenSAML) V5.1. As we approach the holidays, we expect to hold off finishing these releases until January to give us a bit more time to add features and avoid a crush around vacations. These are minor upgrades (and patches) that are definitely not comparable to the significant changes that occurred in V4.1. The new work is largely documented at this point (UserInterface for the CSP changes,…
November 2023 Update
The last month has primarily been continuing the post-release work I mentioned last month. We have landed the feature branches that were being worked on for what will eventually be IdP and OpenSAML V5.1 and are on track to deliver those either in December or early next year, primarily based on what other bug reports or requests come in that fit the time scale or are serious enough to need addressing.…
October 2023 Update
The IdP (and OpenSAML) V5 release was completed on schedule last month ahead of TechExchange, though with a fair number of bumps due to the refactoring work and the increased number of projects to release, including all of the plugins. Some glitches aside, the software release went fine (with a notable exception) and we have not gotten much in the way of bug reports so far. One did come in today,…
September 2023 Update
The past month has been spent getting betas of the IdP and all our plugins available for testing and getting ready for the V5 release, which is expected to occur over the course of this week. Nothing significant has come up while testing, though thanks to a member reporting a problem when Duo fell over a couple of weeks ago, we identified what is probably an HTTP connection leak that happens mainly when certain kinds of connection failures occur. That’s been fixed for the release obviously.…
August 2023 Update
It’s been a couple of months since the last update for the usual summer slowdown reasons, but work has been ongoing to get through the IdP backlog, get the installers in shape, and complete some internal testing so we could get a beta http://shibboleth.net/pipermail/announce/2023-August/000298.html released, which we did last week. Paul Caskey kindly worked on a TAP container build for the beta as well. Reiterating some of the basics: You need Java 17 and Jetty 11 or Tomcat 10.1 to run V5.…
June 2023 Update
The first release of the “combined” OIDC stack was completed last month, spanning 4 plugins, a common library, a shared configuration plugin, and the OP and RP plugins. The new design was necessary to allow sharing of the required code and internal system objects that are common to both use cases. The SAML proxying support would have necessitated a similar kind of approach had that not all been already part of the IdP core,…
May 2023 Update
Work is complete on the next version of the OP plugin and the first version of the RP proxy plugin and the releases are imminent, probably this week. A ton of effort has gone into these releases, with a large amount of code refactoring to polish some rough edges in the original OP code base and to facilitate the necessary overlap between the two by moving code out of the OP and into the OIDC Commons plugin.…
April 2023 Update
Most of the last month has been taken up by the continuing audit of the code base (OpenSAML chiefly now) for unstated or incorrectly expressed null constraints to tighten up the code and address various lurking bugs and inconsistencies. These kinds of changes often involve subtle changes to the public API so they have to be done in major releases, and so we have limited windows to do this sort of cleanup. One of the open questions is what to do with the XACML code in the library,…
March 2023 Update
Following on from February, I have been primarily working on refactoring code into a new java-shib-profile project, the third new library in between OpenSAML and the IdP. Of late, we’ve also been discussing the possibility of migrating some of the OpenSAML “implementation” classes that pertain to the IdP to reduce the size of the that library and migrate out code that is largely unique to our projects. In the meantime,…
February 2023 Update
The only exciting? news for this month is just that I’ve gotten back to working on the SP redesign in earnest for the first time in a few months. With IdP 4.3 released and work essentially complete on that branch, attention turns back to the main branch and is more about what the SP needs from the IdP code base than actively working on the IdP itself.…
January 2023 Update
We are back from the holiday break and back at it. I released a quick-turnaround SP V3.4.1 patch this evening, primarily as a vehicle to distribute a precautionary change to our libraries to block the primary attack vector that led to the advisory against the Java side of the project a couple of weeks ago. I spent a number of hours testing and analyzing code and while I concluded that for a few reasons, some accidental, the SP is not vulnerable to the exact issue reported,…
December 2022 Update
Last update of 2022, it’s been a busy (if not so visibly busy) year for the project with a lot of technical debt work as we prepare for another major transition with the IdP. I hope those able to attend the Internet2 conference last week had a good meeting and got back safe and healthy, sorry to have missed it. I guarantee you all had a better time than I did debugging Spring XML Schema handling. Thanks to Phil Smart for covering for me and presenting the usual updates. On the release front,…
November 2022 Update
Relatively short update this month, as we’ve mostly just been continuing with existing work projects. The OIDC feature update should be out shortly, just some final cleanup work left to do in cooperation with partners working on new functionality separately for eventual inclusion in our code base. A testable snapshot of the OIDC RP plugin is available as development on that wraps up. See http://shibboleth.net/pipermail/dev/2022-October/011027.html http://shibboleth.…
October 2022 Update
The initial Java code refactoring of the IdP code base is complete and the new repositories are now in a stable state (i.e, we’re not changing them in ways requiring re-cloning). The two primary goals of this work were: Migrate substantial portions of functionality out of the IdP so that it can be leveraged by the SP, including the metadata, attribute resolver, and attribute filter services and configuration.…
September 2022 Update
Work has continued over the last month on the “big refactoring” of the Java code base targeted at V5 and in support of the next-gen SP work. The current phase of work consists of turning the monolithic (and poorly named) java-support and spring-extensions projects into a new java-shib-shared multi-module project containing a number of new (often small) modules. In addition to better file naming and code organization,…
August 2022 Update
Lots of vacations and other interruptions lately so this is a short update. Following on last month, work continues on code reorganization and refactoring. That’s not terribly exciting but is ongoing. In parallel, some new work is being done in anticipation of an IdP V4.3 release, either late this year or early in 2023. This will allow us to ship a small number of in-demand features that require core changes,…
July 2022 Update
The last month has seen some additional plugin releases, and substantial progress on refactoring the code base in preparation for IdP V5 and SP development. Another new OP feature update has been released as we continue to focus a lot of effort on extending the OIDC/OAuth feature set. The OP now supports JWT access tokens for all supported grant types, though full OAuth support for non-OIDC clients is not yet finished at this point (it should be in the next feature drop),…
June 2022 Update
Work has continued over the last month on all of the roadmap items I noted in the May update. The OIDC RP work continues, primarily with a focus on redoing the way we handle signing and encryption for JWTs to match the APIs we use in OpenSAML for SAML, which we will be using in the RP plugin, and eventually migrating over to the OP plugin once the work is done. This will add a few features such as equivalent support for allow/deny lists of algorithms,…
May 2022 Update
With IdP V4.2 released, I’ll focus on two topics this month: what’s actually new in this release, and what the active projects are for the remainder of this year (the roadmap is also updated in this regard). A third topic is just to point out that Jetty 9.4 is now in commercial support mode, which means it will get critical fixes only for a few years. Anyone using it should be moving to Jetty 10. 4.2 Highlights The main purpose of the 4.…
April 2022 Update
Well, all the IdP 4.2 and related releases would be done at this point except for the Spring vulnerability from last week throwing a wrench into things. We put everything on hold at that point while we waited for official word and then needed that whole day to research the issue and produce a 4.1 patch out of caution; it’s still our belief that the vulnerability appeared to be limited to a data binding feature that we don’t use,…
March 2022 Update
Short update this month. Work is wrapping up on the IdP V4.2 and OIDC OP plugin V3.1 feature releases. We expect to freeze within the next couple of weeks and should be shipping in late March / early April. Documentation is available on the new OAuth and client authentication features. The OP update will also include support for token-based dynamic client registration.…
February 2022 Update
The last month included a couple of patch releases, to the IdP and the OP plugin, the latter a security fix https://shibboleth.net/community/advisories/secadv_20220131.txt of which all deployers should take note. Work continues in parallel on the active work streams and we should be able to ship IdP V4.2 and the updated OP plugin this quarter as planned.…
January 2022 Update
All projects were impacted to some degree by the log4shell vulnerability, which triggered a wave of questionable bug reports to a lot of logging libraries and a lot of triaging and threat assessment. The Shibboleth Project migrated away from log4j a long time ago so was not directly impacted by the mess, but we kept tabs on discussions around a supposed logback vulnerability that didn’t really turn out to be one. Nevertheless the maintainer acted conservatively and issued a CVE https://cve.…
December 2021 Update
Since the last update, we have released the SP V3.3 update, migrated to the new SP packaging process, reached a significant milestone in our supply chain security work, and have advanced or started work on a number of OIDC/OAuth enhancement projects. The SP update so far has resulted in one minor bug report (an accidental deprecation warning). The new packaging process worked great and saved several hours of hassle getting the RPMs out,…
November 2021 Update
All of our active work streams have been continuing over the last month. SP V3.3 is nearing ready to ship, with all of the dependent work on libraries done. We plan to ship it with OpenSSL 3.0 on Windows in order to ensure adequate exposure to that version. There were essentially no code changes needed except for a very small fix to another library so we don’t expect much trouble. Future versions are a bigger concern because of the number of deprecated functions we’re using,…
October 2021 Update
This month is just a short update on current work in progress noted during the previous updates. As of yesterday, the remaining self-hosted core project infrastructure has been migrated off of CentOS and on to a Rocky Linux server. We’ll be watching for problems but so far, so good. This relieves some immediate time pressure in terms of sunsetting tools but documenting everything remains an ongoing task for the rest of this year.…
September 2021 Update
The Jira migration was completed last month and we have (we hope for good) taken down the old Atlassian services. This was a time-consuming but ultimately necessary project, and while losing federated access is unfortunate it will certainly mean less upkeep for us in the long run. Getting people access has been a little bit of extra work, but doesn’t seem to impose much of a barrier for anybody so far.…
August 2021 Update
The bulk of this month was consumed with a couple of bug fixes and the continued Atlassian migrations, along with a number of vacations. The wiki migration is essentially complete at this point but has been much more trouble than anticipated because of subtle, often undocumented gaps between the Server version and the Cloud version, particularly once content is converted to their newer format.…
July 2021 Update
The major work item this month was to begin the Server to Cloud migration of Confluence and Jira. This is arguably premature given that we have a couple of years before we have to do this, but the Server installs were starting to become a problem during upgrades and getting it out of the way seemed to be the prudent thing to do. If you’re reading this, you are of course doing so on the Cloud instance,…
June Update
Two months worth of updates to catch up on and there is a lot to report on. After waiting another few weeks to work out some plugin issues, we shipped the first patch for V4.1 last month. This is V4.1.2 rather than V4.1.1 because one of us luckily discovered a problem with the release after we were done with it. It was traced it to a Maven "behavior" we're still working through but we have a better idea what to watch for and will be working on some automated checks to prevent a recurrence.…
April Update
The IdP 4.1 release was of course completed last month and has been a success so far, though it's early. Only one major regression has come to light and it's relatively easy to work around for now. I'm in production with it since last week without any problems so far. I posted a how-to documenting what I did to clean up my system after I did the upgrade. I did do this work prior to my MTP of the upgrade,…
March Update
We are running about two weeks behind the planned schedule for IdP V4.1, so the code freeze is expected at the end of this week and a release of the IdP and all associated plugins following about 10 days later around March 24th. The one hitch in this plan is that there is optional i18n functionality that depends on a Spring Framework bug fix so we're waiting on that release in mid-March and have to have enough time to test it in order to make our schedule.…
February Update
Work has continued on IdP 4.1 and all of the planned extensions with an eye on freezing the code around the end of February so we can hit a March release of all of these components. A few small issues remain but for the most part we're close to feature complete and are working this week on getting alpha versions of everything released and posted so we can begin to test in earnest, particularly all of the new plugin and module installation functionality.…
January Update
The project had a productive holiday period, with a fairly unprecedented three software releases done in one week, IdP V3.4.8, SP V3.2.0, and xmlsectool V3.0.0. We also launched a new web site https://www.shibboleth.net/. V3.4.8 was of course the final IdPv3 release and the branch is nominally closed. We may backport some fixes if circumstances warrant for those wanting to continue maintaining their own builds,…
December Update
The slides presented at CAMP a couple of weeks ago are attached. Since the last update, a draft of the documentation on the new IdP plugin system has been put together, and we are starting to build snapshots of the current round of plugins to test installation and upgrades. Work continues on the OIDC plugin configuration and much of the manual work to install it has been eliminated, and additional improvements to bring things in line with existing system conventions are still coming.…
November Update
Over the last month we have been working towards wrapping up work on IdP V4.1. There's still a lot left to do, but the end is at least visible and we are still targeting a Q1 2021 release. As I have said before, any notion of a V5.0 has been deferred more or less indefinitely until there are technical/platform/Java motivations for doing one.…
October Update
In the last month, the APIs and design of the new IdPModule and IdPPlugin features have firmed up and we have completed converting all of the "likely" candidates for modularization in the core feature set. Much of the XML configuration across the admin, login, interceptor, and c14n flows have been reduced or eliminated in a backward-compatible way in favor of properties for most simple settings,…
September Update
September included a Windows patch to the SP and some significant fixes for (uncommon, so far) issues with the HTTP stack in the IdP. The latter are not expected to ship unless they cause more trouble until more critical bug fixes warrant a new patch. Over the last month's work on IdP 4.1, much of the supporting work to make the new plugin framework useful has been completed and we have been able to address most of the manual configuration challenges of adding new flows to the system.…
August Update
We have continued to work on the new IdP plugin framework and are nearing feature completion on several of the first round of plugins we're building, which I mentioned in last month's update. The new Duo plugin in particular will require some time to polish and complete but the bulk of the new work is done. The major remaining tasks center around completing the plugin framework itself and testing all of that, plus significant changes to some of the IdP's core configuration approaches,…
July Update
Work over the past month has included: Research into some complex bugs and behavior that were in the backlog. Progress on some of the more complex work scheduled for V4.1 Work to cleanup and stablize the MDA API for the eventual 1.0 release of that software. The recent Comodo CA expiration resulted in the observation that the IdP's behavior in the case of LDAP and HTTPS certificate evaluation was different (an expired trust root worked for LDAP, but failed for HTTPS).…
June Update
Since the last update we completed work on the first IdPv4 patch release to address a small number of bugs and some features that were lost in the transition. We believe the bug count has been somewhat artifically low due to the slow pace of adoption but having been running it in production for several weeks I'm also pretty comfortable that there aren't a lot of big bugs lurking, at least new ones. One issue we hit involved an internal Jetty 9.…
May Update
We have completed migration of most of the project infrastructure to AWS, which will be more cost effective and simpler to manage. All services have been moved and are fully functional except for Jenkins, which is being debugged to get all the jobs working again, after which we're hoping for some improvements to the frequent networking problems we have encountered in the past. Total time spent on this is over 75 hours and will hopefully not need to be repeated at quite this scale again.…
April Update
Project activity can best be described as a bit unfocused right now, as a somewhat indirect fallout of the pandemic, not so much due to the change in work habits but because it's self-evidently slowed any real uptake of the IdP 4.0.0 upgrade. More typically we'd be fielding a decent range of bug reports and working on a patch but with the paucity of testing so far we haven't seen much, so we're in a holding pattern on exactly what the next release needs to be.…
March Update
Not a long update this month, as the activity is just an extension of last month's update. Work has been hard and heavy though. Two beta releases of the IdP were completed, with a few serious bugs found and fixed, enough that we are comfortable with an official release being cranked as I write this, with the announcement due tomorrow.…
February Update
It's been a busy month for the project primarily to get the expected beta release https://marc.info/?l=shibboleth-announce&m=158091529310277&w=2 of the Identity Provider V4.0 done. Testing to this point has not been extensive, but the early returns from within the team have been positive and the final release is expected by early March at the latest. Upgrades should be very easy for the majority of deployers.…
January Update
Welcome to the third decade of the Shibboleth Project. Various cancelled meetings, holidays, travel, and just generally getting work done have led to a lack of updates, but as of the new year we have started the process of wrapping up V4 IdP development so we can get a beta released as soon as possible. Much of the smaller items left to do are now done, and most substantive remaining issues have been pushed out to future versions, so what's left is primarily testing,…
October Update
Famous last words as we had to ship yet another IdP V3.4 security patch last month to address a memory leak, which required an unfortunately disruptive change to the classes supporting the External authentication flows. We don't take making breaking changes lightly, and do apologize for not fully recognizing the risk of impact to third party plugins,…