Shibboleth Developer's Meeting, 2023-11-03

Call Administrivia

09:00 Central US / 10:00 Eastern US / 14:00 UK / 16:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2023-11-17. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Move mains up to 5.1?

2. Javadoc publication plans

   1. Keep as part of release for consistent results?

   2. Build afterward

      1. Deploy or not deploy? With deploy-file? All or just aggregate? Do we care about them being in Nexus and available for Eclipse?

Attendees:

Brent

• https://shibboleth.atlassian.net/browse/OSJ-392

  • Have a provisional solution; not yet tested out.

Daniel

Henri

Ian

John

• Looking into options for (smoke) testing RPMs produced by cpp-linbuild

Marvin

Phil

• Following Scott’s lead on CSP in the RP and commons. Both should be done in branches.

  • https://shibboleth.atlassian.net/browse/JOIDCRP-49

  • https://shibboleth.atlassian.net/browse/JCOMOIDC-90

• Some follow-up to Scott’s null cleanup on oidc-commons

  • Thanks for all that work, plenty of null issues in commons sadly.

• Work on WebAuthn authentication plugin

  • Basic structure in place for an admin flow for registration and an authentication flow for err. authenticating.

  • Operating inside the MFA flow.

    • Longer term can be the first and only factor, or 2nd-factor

    • Shorter term it allows authentication flow selection, useful for the admin flow when you first need to register a key — but ‘password’ fallback is pointless long term, so this is just for testing.

  • Battling with Yubico’s JavaScript libraries to convert JSON credential creation/authentication requests that come from the server into something compatible with the webauthn apis.

Rod

• Releases for jetty x.0.17 (IdP 4.3.1.4, JettyBase 11.0.18, plus supporting jetty-base jars)

• Enforcer releases

• Moving towards closure (one way or another) on https://shibboleth.atlassian.net/browse/GEN-330

• https://shibboleth.atlassian.net/browse/SSPCPP-982 (installers are weird)

Scott

• Incidental: upgraded OSU to V5 last week, no issues thus far

• Starting on work estimates and budget planning

• Ongoing work around javadoc, experimenting with TOTP corrected release

• https://shibboleth.atlassian.net/browse/OSJ-393

  • Testbed classpath issues → BOMpocalypse

• https://shibboleth.atlassian.net/browse/IDP-2195

  • Propose we eliminate use of BOMs as they have a deliberately odd precedence that reverses the usual rule of “child overrides parent”.

• https://shibboleth.atlassian.net/browse/IDP-2191

  • Notable change to Spring we can’t override but I don’t think it’s a significant issue.

• https://shibboleth.atlassian.net/browse/JSSH-41

  • I hit some of this in OpenSAML without realizing that factory beans could actually return null.

Tom

• https://shibboleth.atlassian.net/browse/IDP-2175
  having trouble unsetting cookies - should be much easier to debug now that the POMs have been changed

Other