Shibboleth Developer's Meeting, 2022-06-17

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-07-01. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at OSU, see https://marc.info/?l=shibboleth-dev&m=165419483503328&w=2 (same details apply as for 6/3).

AGENDA

• Merged repo: reactions and timescales (@Ian Young)

• Thoughts on opensaml-spring

Add items for discussion here

Attendees:

Brent

Daniel

• Merging ldaptive v2 into IDP v5

  • waiting until v5 main branch work settles down

Henri

The current non-resolved issues for OP 3.2:

• Regarding refresh tokens:

  • https://shibboleth.atlassian.net/browse/JOIDC-90

  • https://shibboleth.atlassian.net/browse/JOIDC-92

  • Almost there, some final polishings / documentation to do

• • Helper-function for scripts and example via attribute resolver service now exists

• • Technically not complicated, will probably use PROTOCOL_MESSAGE.OAUTH2

• • No known issues, I’ve run some tests for both OAUTH2.Token and OAUTH2.TokenAudience profiles

The plan is to release OP 3.2 and common 2.1 during the last week of June.

Ian

John

• Rocky Linux 9 forecast: “ready for general release in the June - July 2022 timeframe”

• Vanishingly little progress on cpp-linbuild for Fargate since last time due to competing demands on my time

Marvin

Phil

• RP updated to support Brent’s JOSE Header JWK resolver

• Added JWT decryption and signature validation support to UserInfo JWT (which could just be a plain JSON object)

  • Test certain modes against the OIDC certification OP

• Improved the response_mode and response_type lookup from RP config

• Added scopes to RP config, default obviously openid.

• Added OIDC ACR proxy pass-through function from upstream SAML request (similar to SAML proxy)

• Flow XML cleanups

• More tests

Rod

• Windows Server recommendations.

Scott

• Working on IdP refactor

  • Cloned IdP into java-shib-metadata

    • shib-metadata-api/impl

      • Unfortunately depends on some shib-attribute modules due to EntityAttributes node processor, including an impl module

    • shib-metadata-spring (maybe it’s time to split these into -api/-impl?)

    • This is at least all building and passing tests

  • Cloned IdP into java-shib-attribute

    • shib-attribute-api/impl

      • Probably need to deprecate and move in various Attribute-related predicates and such out of other packages

    • shib-attribute-resolver-api/impl/spring

      • Some connectors and definitions will probably stay in the IdP somewhere (e.g. anything to do with Subject)

    • shib-attribute-filter-api/impl/spring

      • Filter impl relies on shib-metadata-api due to Scope extension

  • Considered Spring classes open to package rename/reorg, but not the rest for now

  • Fair bit of work left to get this building

Tom

• need to patch server

• worked on Windows Server 2022 image

Other