Shibboleth Developer's Meeting, 2023-06-02

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2023-06-16. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at OSU, see announcement for access info.

AGENDA

• Rod: Installler / IDP-2073: Consider enabling the installer to download new versionsClosed Some questions about downloading the next IdP version as enumerated here

• Rod: Installer / IDP-2107: Misc V5 Installer tasksClosed

  • Do we want to generate metadata in the installer or point people at the plugin?

  • How much do we want to do for backchannel and for SAML1 (bearing in mind that the driver for this is still The windows installer and some federations with significant SAML1 presence)

• IdP V5 schedule

  • “Most” remaining work seems to be plugin porting, installer, and testing

    • Null cleanup is a nice to have but probably not critical path esp. since we can update plugins again after

  • Maybe September for a beta and October release?

Attendees:

Brent

• On holiday this meeting and next, if it remains 2023-06-16

• OSJ-362: Add support for dynamic config to DecrypterClosed

  • Have implemented most of what is outlined in the issue.

  • Still pending is 1) new/updated unit tests 2) sorting where/how the IdP function for the recipients is defined and will get injected into this new design.

Daniel

Henri

Out.

Ian

• New Guava release: Release 32.0.0 · google/guava

  • JPAR-219: Update Guava to 32.1.2-jreClosed

  • New keys!

• New plugin dependency keys, too.

• Java 21 enters Rampdown Phase 1 2023-06-08.

• Debian 12 releases 2023-06-10.

John

• SSPCPP-969: cpp-linbuild manifests do not match actual RPM/SRPM productsResolved

  • Finally identified the foot gun that broke the build of some components on some platforms, to wit that older rpm does not understand elif and silently ignores it. Serves me right for trying to make specfile improvements unrelated to the main problem I was trying to solve, which, it turns out, I may not actually be able to solve due to debuginfo sub-packages being unknown prior to building.

  • Remaining to do: verify that upgrades work and generate a summary of changed package names.

• Amazon Linux and Rocky Linux image bumps

Marvin

Phil

• On holiday

• JOIDCRP-29: Support client_secret_jwt and private_key_jwt client authenticationClosed

• Had some good feedback from Timo (Aalto University) on the RP plugin. A few improvements are expected (I will file some issues for the RP next week).

Rod

• Very deep in installer space IDP-2105: V5 Installer Container taskClosed

  • The Installer, plugin & module code is in a state of flux

• Refactoring Plugin Installer bugs fixed

  • for IDP-2073: Consider enabling the installer to download new versionsClosed

  • multiple bugs found and fixed

• Much of the discussion in JIRA, so go there for more details.

  • Some open questions in the agenda.

• IDP-2121: Future Proofing the Module Plugin infrastructure for Future SP useClosed

• Played with moving a plugin up to Java17.

  • Should I write up a how to? (frequent pitfalls and so on)

• And not losing sight of module/plugin metrics

Scott

• Testing and cleanup from module changes

• IDP-2082: Metric EnhancementsClosed

  • Added a timer around batch metadata refresh (tried to limit to actual “new” fetches)

  • Adjusted how we name the metadata metrics to avoid class name leakage, but added control of names to config schema

  • Added per-profile counters using a bean at the top of every flow

  • Added a map of counters for every relying party configuration (emulating Brent’s approach to avoid race conditions around service reload)

  • TBD work on exposing “effective” config settings for a request from a given SP

• Other backlog

Tom

• OIDC OP tests

  • made some progress

    • looking into running both the RP / conformance suite and the IdP via Docker + Docker Compose

      • mostly because of the networking between the RP and OP

      • also set up an RP using the Rocky Linux Docker image + mod_auth_openidc

      • not sure at the moment how to start / stop the Docker containers via Java in the tests (probably using a Java Process just like the Servlet containers)

• V5 integration tests

  • need to update tests for installer changes (command line options instead of system properties)

    • Ian - iay/shibboleth-idp-docker will need changes too I think

• idp-jetty-base

  • for the 10, 11, and 10-windows branches the dta-ssl JAR is always loaded (via the ext directory / module)

    • probably should change the idp-backchannel.mod Jetty module to not use ext/ to load the JAR

      • meaning the backchannel will be fully disabled by default

• as a deployer : starting to look into Loop Detection

  • while monitoring graphs derived from metrics, noticed some usage spikes / chunks
    (appears to be loading the Azure login page as part of SAML proxy)
    with URLs like “…e547s1…”

Other