Shibboleth Developer's Meeting, 2023-02-03

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2023-02-17. Any reason to deviate from this?

60 to 90 minute call window.

This week's call will use the Zoom system at GU, see ZoomGU for access info.

https://shibboleth.atlassian.net/browse/JPAR-218 (@Ian Young , but alas I very likely won’t be around for the call)
Config merge for OP/RP
1. Using commons to install files is a little risky to me. Note that two modules could in fact both manage one file resource, that shouldn’t actually break anything.
2. Conclusion - Duo dependency really means we have to avoid config contamination via commons jars so we need a new project/plugin/module to hold shared config. TBD whether we want to bite off the problem of auto-installing dependent plugins because right now we specify only module dependency, not plugins.

https://shibboleth.atlassian.net/browse/JCOMOIDC-41
- Some iterations since early January after discussions with Phil
- Signature validations (request objects and JWT auth) now fairly well tested on OP
  - Only lacks global inclusion/exclusion tests (those are not yet properly wired in commons)
https://shibboleth.atlassian.net/browse/JCOMOIDC-48
- We need IdP 4.3.0 for this: https://shibboleth.atlassian.net/browse/JSE-51
- The OP main branch (relying-party/postconfig.xml) is adapted into the new structure
OP requires Nashorn plugin for Java15+ due to two one-line scripts

Very unlikely to make the meeting; out on jury duty.
Opened an xmlsectool v4 release to track OpenSAML and Java 17. No end date in mind; there are no features planned.
MDA making progress, but there are a lot of unshaven yaks around.

Working on the common build.sh in cpp-linbuild to help ensure that the “local” repo is valid before the first component is built

Mainly https://shibboleth.atlassian.net/browse/JCOMOIDC-48 - which is on the agenda
Lots of cleanups in the RP to support https://shibboleth.atlassian.net/browse/JCOMOIDC-60 and https://shibboleth.atlassian.net/browse/JCOMOIDC-62
Nimbus fixed their truncation issue, so I’ve bumped commons to support.
Coincidently to the opensaml case in the user's thread. https://shibboleth.atlassian.net/browse/JCOMOIDC-64
- Nimbus supported it (both JDK11+ JCA alg name and BouncyCastle alg name), so we just needed to add the JWA alg descriptor.
Need to add include and exclude global alg support to the JWA encryption and signing operation classes.
- Will take guidance from opensaml.

Some null cleanup before handing off to Rod
Resuscitating SP code, added null checking there
Started reviewing SP configuration and impact on redesign, agents
- SP Configuration Settings
- SP Service Architecture (Agent/Service Interaction)
Continuing to identify sections of API code likely to be shareable between IdP and SP
- Moved SecurityConfiguration hierarchy into OpenSAML
- Moved metadata-driven configuration strategy functions into shib-attribute-api (they operate on decoded IdPAttributes)
- Don’t think sharing actual ProfileConfigurations is likely
- We can always copy and eventually merge implementation classes over time but APIs are more disruptive to change so prioritizing there

tests :
- updates for recent Tomcat
- https://shibboleth.atlassian.net/browse/IDP-2063
  - for some reason, the IdP session cookie is not being written, still investigating
infrastructure :
- OpenSAML artifact downloads (Maven metadata, POMs, signatures, etc.) :
  - Central = 6-18 million per month
  - build.s.n = 4 million per week (with sample size of 1 week lol)
  - top ten requested Maven group IDs for a week :
    - 1341689 /com/google
      1444132 /co/actioniq
      1754969 /nexus/content
      1806993 /com/vmware
      2576770 /grammarly/subscription-api
      3703348 /grammarly/grammarly-billing-api
      3710300 /org/opensaml
      5671160 /org/springframework
      5965866 /org/apache
      7654145 /com/medallia