Shibboleth Developer's Meeting, 2023-12-01

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2023-12-15. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Host the translations for external committers or use a third party service?

   1. Plan is to host in gitolite for now in a separate repository.

Attendees:

Brent

• https://shibboleth.atlassian.net/browse/OSJ-392

  • Proposed solution of adapting the XSAny seems to work.

Daniel

Henri

• https://shibboleth.atlassian.net/browse/JOIDC-13

  • No known issues: only lacks documentation

  • Fairly complete unit / flow tests

  • Automated tests with the conformance suite are now working with all variants (code, hybrid, implicit)

    • Backchannel Rp Initiated Logout Certification Profile Authorization server

    • Frontchannel Rp Initiated Logout Certification Profile Authorization server test

    • Rp Initiated Logout Certification Profile Authorization server test

• https://shibboleth.atlassian.net/browse/JOIDC-155

  • Nimbus updated the ticket: prefixing the resource-parameter seems to be the way to go

Ian

• Java 21:

  • Updated Java Distributions to cover Java 21:

    • Supported for Java 17 platform

    • NOT mentioned for Java 11 platform

  • My RHEL 8 and 9, and Rocky 8 and 9, machines all have 17 and 21 on them if you need quick access.

  • No sign of Java 21 on current Debian stable (12, Bookworm), which is probably what we should expect. It does seem to be present in Debian testing (13, Trixie) but we probably don’t have to care about that until mid-2025.

• Spring Framework 6.1(.1) is out now. https://shibboleth.atlassian.net/browse/JPAR-221

• Spring > VMware > Broadcom now. Vulture coverage. Just sayin'

  Open

  

John

Marvin

Phil

• https://shibboleth.atlassian.net/browse/JDUO-79 - think that is in sensible shape

• https://shibboleth.atlassian.net/browse/JPAR-207

  • Was proving hard to try and remove cdi-api from the plugin dependency imports. Spans a few plugins, so it might come back

  • Still do not know the identity of the key that signed plexus-io, looks likely to be a contributor to the project, but no firm evidence so left an issue (they have not looked at it so far).

• CSP stuff was added to RP and commons. So will be included in the next release of both.

• Interesting ticket on using Duo as a passwordless only flow.

• Some documentation cleanup for using the RP in an MFA flow.

• Numerous WebAuthn plugin improvements. Very basic registration and authentication ceremonies are close to working.

Rod

• Nothing

• I’ll observe that the Wix4 port is ready to go live once we do the “Do we trust these guys” dance. But I don’t have the cycles to force that through right now and there is no urgency (beyond a personal desire to stop being CP for releases)

Scott

• Clearing 5.1 backlog

• Sites no longer web accessible, cleaning up more broken legacy branch jobs

Tom

• nada, wrapping up V5 deployments

Other