Shibboleth Developer's Meeting, 2023-02-03

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2023-02-17. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. https://shibboleth.atlassian.net/browse/JPAR-218 (@Ian Young , but alas I very likely won’t be around for the call)

2. Config merge for OP/RP

   1. Using commons to install files is a little risky to me. Note that two modules could in fact both manage one file resource, that shouldn’t actually break anything.

   2. Conclusion - Duo dependency really means we have to avoid config contamination via commons jars so we need a new project/plugin/module to hold shared config. TBD whether we want to bite off the problem of auto-installing dependent plugins because right now we specify only module dependency, not plugins.

Attendees:

Brent

• HttpClient v5

  • Refactoring done for main IdP stack projects

  • Need to resolve some unit test failures and other issues, but expect to be “done” soon

  • Question about logistics for merging into main(s): Everything under parent 17.0.0 needs to be done at once, so plan for other dependent projects?

    • OIDC stuff is not yet using parent 17, so defer to later

    • MDA is only known child of parent 17, so Brent will take a crack at refactoring that on a branch

Daniel

• Nothing to report.

Henri

• https://shibboleth.atlassian.net/browse/JCOMOIDC-41

  • Some iterations since early January after discussions with Phil

  • Signature validations (request objects and JWT auth) now fairly well tested on OP

    • Only lacks global inclusion/exclusion tests (those are not yet properly wired in commons)

• https://shibboleth.atlassian.net/browse/JCOMOIDC-48

  • We need IdP 4.3.0 for this: https://shibboleth.atlassian.net/browse/JSE-51

  • The OP main branch (relying-party/postconfig.xml) is adapted into the new structure

• OP requires Nashorn plugin for Java15+ due to two one-line scripts

Ian

• Very unlikely to make the meeting; out on jury duty.

• Opened an xmlsectool v4 release to track OpenSAML and Java 17. No end date in mind; there are no features planned.

• MDA making progress, but there are a lot of unshaven yaks around.

John

• Working on the common build.sh in cpp-linbuild to help ensure that the “local” repo is valid before the first component is built

Marvin

Phil

• Mainly https://shibboleth.atlassian.net/browse/JCOMOIDC-48 - which is on the agenda

• Lots of cleanups in the RP to support https://shibboleth.atlassian.net/browse/JCOMOIDC-60 and https://shibboleth.atlassian.net/browse/JCOMOIDC-62

• Nimbus fixed their truncation issue, so I’ve bumped commons to support.

• Coincidently to the opensaml case in the user's thread. https://shibboleth.atlassian.net/browse/JCOMOIDC-64

  • Nimbus supported it (both JDK11+ JCA alg name and BouncyCastle alg name), so we just needed to add the JWA alg descriptor.

• Need to add include and exclude global alg support to the JWA encryption and signing operation classes.

  • Will take guidance from opensaml.

Rod

• Low hanging null fruit in the java-shib projects

  • Including ‘that’ Collector

• https://shibboleth.atlassian.net/browse/JSSH-22

Scott

• Some null cleanup before handing off to Rod

• Resuscitating SP code, added null checking there

• Started reviewing SP configuration and impact on redesign, agents

  • https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/3152019473

  • https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/2981527576 (Agent/Service Interaction)

• Continuing to identify sections of API code likely to be shareable between IdP and SP

  • Moved SecurityConfiguration hierarchy into OpenSAML

  • Moved metadata-driven configuration strategy functions into shib-attribute-api (they operate on decoded IdPAttributes)

  • Don’t think sharing actual ProfileConfigurations is likely

  • We can always copy and eventually merge implementation classes over time but APIs are more disruptive to change so prioritizing there

Tom

• tests :

  • updates for recent Tomcat

  • https://shibboleth.atlassian.net/browse/IDP-2063

    • for some reason, the IdP session cookie is not being written, still investigating

• infrastructure :

  • OpenSAML artifact downloads (Maven metadata, POMs, signatures, etc.) :

    • Central = 6-18 million per month

    • build.s.n = 4 million per week (with sample size of 1 week lol)

    • top ten requested Maven group IDs for a week :

      • 1341689 /com/google
        1444132 /co/actioniq
        1754969 /nexus/content
        1806993 /com/vmware
        2576770 /grammarly/subscription-api
        3703348 /grammarly/grammarly-billing-api
        3710300 /org/opensaml
        5671160 /org/springframework
        5965866 /org/apache
        7654145 /com/medallia

Other