2022-10-21
Shibboleth Developer's Meeting, 2022-10-21
Call Administrivia
09:00 Central US / 10:00Â Eastern US /Â 15:00Â UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-11-04. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
Decision on destroy methods in bean files - default it or explicitly set it?
(if time) Signing keys/supply chain attack defense
Attendees:
Brent
JSSH-16: Update to Apache HttpClient 5.xClosed
Refactoring in progress. Large chunk of java-shib-shared done. Have to do a deeper dive into some changes around TLS.
Daniel
Henri
Offline today
Ian
Spring Framework 6.0.0-RC2 and Spring Boot 3.0.0-RC1 are out. GA will be next month. No statement on SWF yet.
MDA 0.10 in progress.
John
Updating Amazon Linux images
Fargate builder
Marvin
Â
Phil
RP docs and code cleanup
Thinking about adding a keyset endpoint to the RP like the OP - a bit more involved than I thought, but perhaps should target this for v1?
Thinking about dynamic registration - but not confident I could get that in place for v1.
Thinking about UserInfo response formats - it can be either a plain JSON object or a JWT. Signalled by Content-Type header. But this could be manipulated, not sure this is much of a problem but I have added a setting to force JWT types only (off by default so supports either).
Fixed up the assembly, so can be installed as a plugin to a running IdP - tested it with a fresh plugin build and sign of the commons lib.
Â
Rod
Scott
Xerces 3.2.4 patch
Likely officially moving project to requiring C++-11
IDP-2020: SecurityConfiguration on AbstractProfileConfiguration is SAML-specificClosed
JSSH-9: Rework IdentifierGenerationStrategy usageClosed
Overblown but we don’t reference impl classes anymore and I did modernize the Java random APIs
https://shibboleth.atlassian.net/browse/IDP-2023
Likely the biggest hassle for upgrades to V5
https://shibboleth.atlassian.net/browse/IDP-1935
Worked around this issue for now, I think we want to open up more of the decryption APIs in V5 to be Criterion-based
JPAR-213: Update to latest slf4j/logbackClosed
Updated main branch for now, we’ll likely want to move the old branch to them also
IDP-2027: Flow exception handling is breaking under EclipseClosed
SP is being brought up to date after refactor, adding components for metadata, attribute handling
OSJ-363: Add activationCondition support to MetadataResolversClosed
Will be working on new Session API next
Already built a remoted endpoint that parses XML and returns the DOM mapped into remotable objects so agents can deliver their configurations to the service for processing
Tom
updating certs in integration tests for V5
Other
Â