Shibboleth Developer's Meeting, 2023-05-19

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2023-06-02. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

Add items for discussion here

• (PS) Some things from the EIC 2023 conference:

  • FAPI 2.0 Security Profile?

    • For the RP, also relevant for the OP of course.

  • OIDC4VC. Lots of talk about Wallets in EIC.

• (PS) Switch plugins to V5 in parallel? if possible, I am not sure.

  • wait a few weeks, then switch mainline to 5 and maint branch for 4

Attendees:

Brent

• https://shibboleth.atlassian.net/browse/OSJ-379

  • discussion

Daniel

• ldaptive updated to v2.1.2 for IDP v5

Henri

• Bad wiring in the new OIDCConfig caused issues to OP’s non-MDDriven token profile configuration:

  • https://shibboleth.atlassian.net/browse/JOIDC-158

  • https://shibboleth.atlassian.net/browse/JOIDC-159

• Both would have been spotted before release, if only I had used both profile configuration methods in conformance testing

Ian

• Java 21 Rampdown Phase 1 on 2023-06-08:

  • Virtual threads

  • Sequenced collections

  • Record patterns

  • Pattern matching for switch

• Debian 12 release 2023-06-10

• Spring Framework 6.0.9 integrated

John

• Testing/fixing https://shibboleth.atlassian.net/browse/SSPCPP-969

• Bumped Amazon Linux 2 image

Marvin

Phil

• OIDC-stack release. And some re-releases.

  • Remembering:

    • DuoOIDC is indeed part of that stack!

    • Not to make changes that will affect the enforcer on the day of release. Sounds obvious, so telling off to myself.

• Next up:

  • https://shibboleth.atlassian.net/browse/JOIDCRP-29

  • https://shibboleth.atlassian.net/browse/JOIDCRP-30

    • Need to figure out what that mitigates for in a confidential OIDC client.

Rod

• Kicking off the Installer https://shibboleth.atlassian.net/browse/IDP-2105. There will be some discussion needed but I’m not ready for it. Meanwhile I’m tracking open questions in JIRA. Meanwhile also watch V5 IdP Installer

• Started poking at metrics for Module and Plugin state. Also considering adding a metric for “Update version available” (as part of https://shibboleth.atlassian.net/browse/IDP-2073

Scott

• Completed NonnullElements review of everything in the IdP stack except OpenSAML and the IdP. Biggest goal is more about flagging Live/NotLive on all returned collections (and Live on a few inputs that get mutated internally).

• IdP 5 docs and release notes

• https://shibboleth.atlassian.net/browse/IDP-2002

  • Still working out final changes to POMs subject to installer’s needs but hope for some additional simplifications.

  • idp-conf is gone

  • Testing overrides are moved under classpath:/net/shibboleth/idp/modules, which is the new idp.home for now

  • All installed files are now module-managed.

• https://shibboleth.atlassian.net/browse/IDP-2082

  • Reviewing use cases, mostly around exposing more configuration state. Probably need a peer to aacli that will analyze and expose the configuration applied to an SP, in effect exercising the relying party and metadata lookups and reporting out the profile settings.

Tom

• Integration tests working for IdP V4 and V5

  • back to working on OIDC and Tomcat

  • need to update Jenkins AMIs (especially Java on Windows)

• Rod / Scott - how about enabling the plugin CLI to install a plugin and its dependencies ?
  e.g. when you install the OIDC OP, it fails and rollsback if OIDC.config is not installed, so skip the failure and install dependencies too

Other