Shibboleth Developer's Meeting, 2022-07-01

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-07-15. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. opensaml-spring discussion

2. Affirm or reverse package sealing?

   1. This actually may create some complexity due to the refactoring…

3. https://shibboleth.atlassian.net/browse/IDP-1955

Attendees:

Brent

• https://shibboleth.atlassian.net/browse/JCOMOIDC-41

  • Added an interface and minimal impl to resolve creds from a JOSEObject.

• https://shibboleth.atlassian.net/browse/OSJ-355

  • Done unless someone believes the “00” syntax should not be allowed.

Daniel

Henri

• Testing, documenting, polishing and finally finished the OP release

• Mostly on vacation on July

Ian

• Probably out for this meeting.

John

• Still no Rocky Linux 9 yet

• Nothing new for cpp-linbuild-on-fargate

Marvin

Phil

• resolver to support the RP config approach of the RP Proxy i.e. client_secret in RP config but still supporting security config signing creds from rp-credentials.xml.

• in the end, a fair bit of cleanup and refactoring to support the request object: if configured (in RP config) and supported by downstream OP.

  • Supports signing

    • I assume we need to support the plain JWT option if the downstream OP does not support the same set of signing algs. Seems a bit pointless but I am probably wrong.

  • No encryption support yet

  • No support for id_token and userinfo_token claim requests yet.

• Did not get a chance to start the docs, will do next week.

Rod

• JDBC Storage Service & beta testing.

• preparations

Scott

• Continuing work on library refactoring

  • New projects are mostly in preliminary shape

    • TBD splitting out spring (api/impl) and test modules

  • Work in progress on IdP branch

• Rod implemented a draft approach to allow a Spring schema namespace to be handled by different classes for layering. IdP will need to subordinately implement the parser for certain types that require higher layer objects to prevent cycles. SP may need to do the same, or new modules constructed to implement them. Typically this is for Metadata plugins that depend on Attributes.

Tom

• Question about metadata-driven attribute filter configuration …
  How about a wildcard attribute filter policy like this :

  <AttributeFilterPolicy id="Per-Attribute-singleValued"> <PolicyRequirementRule xsi:type="ANY"/> <AttributeRule attributeID="wildcard-any-attribute-in-metadata"> <PermitValueRule xsi:type="EntityAttributeExactMatch" attributeName="http://shibboleth.net/ns/attributes/releaseAllValues" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="*" /> </AttributeRule> </AttributeFilterPolicy>

  instead of :

  <AttributeFilterPolicy id="Per-Attribute-singleValued"> <PolicyRequirementRule xsi:type="ANY"/> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="EntityAttributeExactMatch" attributeName="http://shibboleth.net/ns/attributes/releaseAllValues" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="eduPersonPrincipalName" /> </AttributeRule> <AttributeRule attributeID="mail"> <PermitValueRule xsi:type="EntityAttributeExactMatch" attributeName="http://shibboleth.net/ns/attributes/releaseAllValues" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="mail" /> </AttributeRule> 278 more <AttributeRule>s ... </AttributeFilterPolicy>

• WindowsServer2022 Jenkins image - looking at ways to copying Java / Maven updates rather than cutting new AMI

Other