Shibboleth Developer's Meeting, 2022-10-21

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-11-04. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Decision on destroy methods in bean files - default it or explicitly set it?

2. (if time) Signing keys/supply chain attack defense

Attendees:

Brent

• JSSH-16: Update to Apache HttpClient 5.xClosed

  • Refactoring in progress. Large chunk of java-shib-shared done. Have to do a deeper dive into some changes around TLS.

Daniel

• IDP-1963: Update ldaptive to version 2 for IDP version 5Closed

Henri

• Offline today

Ian

• Spring Framework 6.0.0-RC2 and Spring Boot 3.0.0-RC1 are out. GA will be next month. No statement on SWF yet.

• MDA 0.10 in progress.

John

• Updating Amazon Linux images

• Fargate builder

Marvin

Phil

• RP docs and code cleanup

• Thinking about adding a keyset endpoint to the RP like the OP - a bit more involved than I thought, but perhaps should target this for v1?

• Thinking about dynamic registration - but not confident I could get that in place for v1.

• Thinking about UserInfo response formats - it can be either a plain JSON object or a JWT. Signalled by Content-Type header. But this could be manipulated, not sure this is much of a problem but I have added a setting to force JWT types only (off by default so supports either).

• Fixed up the assembly, so can be installed as a plugin to a running IdP - tested it with a fresh plugin build and sign of the commons lib.

Rod

• IDP-2025: Transitory errors on Windows V5 nightly buildsClosed

• IDP-1927: Make Jetty run under its own credentials for windows installsClosed

Scott

• Xerces 3.2.4 patch

  • Likely officially moving project to requiring C++-11

• IDP-2020: SecurityConfiguration on AbstractProfileConfiguration is SAML-specificClosed

• JSSH-9: Rework IdentifierGenerationStrategy usageClosed

  • Overblown but we don’t reference impl classes anymore and I did modernize the Java random APIs

• IDP-2023: Remove extended flow feature from password login flowClosed

  • Likely the biggest hassle for upgrades to V5

• IDP-1935: SAML2 Auth flow fails to decrypt when using overridden responder id.Closed

  • Worked around this issue for now, I think we want to open up more of the decryption APIs in V5 to be Criterion-based

• JPAR-213: Update to latest slf4j/logbackClosed

  • Updated main branch for now, we’ll likely want to move the old branch to them also

  • IDP-2027: Flow exception handling is breaking under EclipseClosed

• SP is being brought up to date after refactor, adding components for metadata, attribute handling

  • OSJ-363: Add activationCondition support to MetadataResolversClosed

  • Will be working on new Session API next

  • Already built a remoted endpoint that parses XML and returns the DOM mapped into remotable objects so agents can deliver their configurations to the service for processing

Tom

• updating certs in integration tests for V5

Other