2023-12-01
Shibboleth Developer's Meeting, 2023-12-01
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2023-12-15. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
Host the translations for external committers or use a third party service?
Plan is to host in gitolite for now in a separate repository.
Attendees:
Brent
OSJ-392: OpenSAML's strict processing mode does not load ADFS metadataClosed
Proposed solution of adapting the XSAny seems to work.
Daniel
Henri
JOIDC-13: Support for OIDC LogoutClosed
No known issues: only lacks documentation
Fairly complete unit / flow tests
Automated tests with the conformance suite are now working with all variants (code, hybrid, implicit)
Backchannel Rp Initiated Logout Certification Profile Authorization server
Frontchannel Rp Initiated Logout Certification Profile Authorization server test
Rp Initiated Logout Certification Profile Authorization server test
JOIDC-155: Support non-URI client_id values used as resource indicatorsClosed
Nimbus updated the ticket: prefixing the resource-parameter seems to be the way to go
Ian
Java 21:
Updated Java Distributions to cover Java 21:
Supported for Java 17 platform
NOT mentioned for Java 11 platform
My RHEL 8 and 9, and Rocky 8 and 9, machines all have 17 and 21 on them if you need quick access.
No sign of Java 21 on current Debian stable (12, Bookworm), which is probably what we should expect. It does seem to be present in Debian testing (13, Trixie) but we probably don’t have to care about that until mid-2025.
Spring Framework 6.1(.1) is out now. JPAR-221: Migrate to Spring Framework 6.1Closed
Spring > VMware > Broadcom now. Vulture coverage. Just sayin'
John
Marvin
Phil
JDUO-79: Duo integration objects violate null/init constraintsClosed - think that is in sensible shape
JPAR-207: Revert maven-javadoc-plugin to official Apache versionOpen
Was proving hard to try and remove cdi-api from the plugin dependency imports. Spans a few plugins, so it might come back
Still do not know the identity of the key that signed plexus-io, looks likely to be a contributor to the project, but no firm evidence so left an issue (they have not looked at it so far).
CSP stuff was added to RP and commons. So will be included in the next release of both.
Interesting ticket on using Duo as a passwordless only flow.
Some documentation cleanup for using the RP in an MFA flow.
Numerous WebAuthn plugin improvements. Very basic registration and authentication ceremonies are close to working.
Rod
Nothing
I’ll observe that the Wix4 port is ready to go live once we do the “Do we trust these guys” dance. But I don’t have the cycles to force that through right now and there is no urgency (beyond a personal desire to stop being CP for releases)
Scott
Clearing 5.1 backlog
Sites no longer web accessible, cleaning up more broken legacy branch jobs
Tom
nada, wrapping up V5 deployments
Other