2022-07-01
Shibboleth Developer's Meeting, 2022-07-01
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-07-15. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
opensaml-spring discussion
Affirm or reverse package sealing?
This actually may create some complexity due to the refactoring…
IDP-1955: Add attachClasses to the maven-war-plugin in idp-parentClosed
Attendees:
Brent
JCOMOIDC-41: Move OIDC Signature Validation resolvers and parameter classes to commonsClosed
Added an interface and minimal impl to resolve creds from a JOSEObject.
OSJ-355: ConcatKDF parameter requirements too restrictive in ECDHClosed
Done unless someone believes the “00” syntax should not be allowed.
Daniel
Henri
Testing, documenting, polishing and finally finished the OP release
Mostly on vacation on July
Ian
Probably out for this meeting.
John
Still no Rocky Linux 9 yet
Nothing new for cpp-linbuild-on-fargate
Marvin
Phil
JOIDCRP-16: Add a relying party signing parameters resolverClosed resolver to support the RP config approach of the RP Proxy i.e. client_secret in RP config but still supporting security config signing creds from rp-credentials.xml.
JOIDCRP-15: Support Request Object by ValueClosed in the end, a fair bit of cleanup and refactoring to support the request object: if configured (in RP config) and supported by downstream OP.
Supports signing
I assume we need to support the plain JWT option if the downstream OP does not support the same set of signing algs. Seems a bit pointless but I am probably wrong.
No encryption support yet
No support for id_token and userinfo_token claim requests yet.
Did not get a chance to start the docs, will do next week.
Rod
JDBC Storage Service & beta testing.
JSPT-98: Integrate lifecycle checking methods in base classesResolvedpreparations
Scott
IDP-1968: Basic auth support is restricting Authorization header to US-ASCIIClosed
Continuing work on library refactoring
New projects are mostly in preliminary shape
TBD splitting out spring (api/impl) and test modules
Work in progress on IdP branch
Rod implemented a draft approach to allow a Spring schema namespace to be handled by different classes for layering. IdP will need to subordinately implement the parser for certain types that require higher layer objects to prevent cycles. SP may need to do the same, or new modules constructed to implement them. Typically this is for Metadata plugins that depend on Attributes.
Tom
Question about metadata-driven attribute filter configuration …
How about a wildcard attribute filter policy like this :<AttributeFilterPolicy id="Per-Attribute-singleValued"> <PolicyRequirementRule xsi:type="ANY"/> <AttributeRule attributeID="wildcard-any-attribute-in-metadata"> <PermitValueRule xsi:type="EntityAttributeExactMatch" attributeName="http://shibboleth.net/ns/attributes/releaseAllValues" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="*" /> </AttributeRule> </AttributeFilterPolicy>
instead of :
<AttributeFilterPolicy id="Per-Attribute-singleValued"> <PolicyRequirementRule xsi:type="ANY"/> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="EntityAttributeExactMatch" attributeName="http://shibboleth.net/ns/attributes/releaseAllValues" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="eduPersonPrincipalName" /> </AttributeRule> <AttributeRule attributeID="mail"> <PermitValueRule xsi:type="EntityAttributeExactMatch" attributeName="http://shibboleth.net/ns/attributes/releaseAllValues" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="mail" /> </AttributeRule> 278 more <AttributeRule>s ... </AttributeFilterPolicy>
WindowsServer2022 Jenkins image - looking at ways to copying Java / Maven updates rather than cutting new AMI
Other