Shibboleth Developer's Meeting, 2024-01-19

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-02-02. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Plan to submit grant proposal to GEANT for OpenID Fed work

2. Release schedule

   1. Will do a 3.0.1 of OIDC commons to fix javadoc and allow a Duo release when it’s ready

   2. The plugins will get done when they’re done

   3. 5.1 would be nice to get out by end of Feb but no particular urgency

3. Board updates

Attendees:

Brent

• OSJ-391: Default supported TLS protocols appears too broadClosed

  • I obviously overlooked issues with the custom schemas in the IdP. I’ll take a look at those and see if there is a viable solution, such as merging the <TrustEngine> etc type of stuff with an injected HttpClientSecurityParameters, using some order of precedence.

• OSJ-392: OpenSAML's strict processing mode does not load ADFS metadataClosed

  • Will investigate doing something rational on the interface collections. I think having them throw on mutation attempts would be consistent with the other setter methods.

Daniel

Henri

• JCOMOIDC-95: Add clockSkew and idGenerator configuration hooks to JSONSecurityConfigurationClosed

  • Realized that those could not be customized with the JSON security configuration

  • Should we inherit clockSkew setting from security configuration?

• JOIDC-191: Harmonise the use of identifier generation strategiesClosed

  • xml-safe flag enabled by default → _ -prefixes in identifiers

• JOIDC-186: Support additional refresh token typesClosed

  • JWT-format committed and tested

• https://shibboleth.atlassian.net/browse/JCOMOIDC-96

  • TODO: wiring and tests for OP

• Work on the GEANT proposal

Ian

John

• Amazon Linux (2, 2023) and RHEL (7, 8, 9) image bumps

• Starting to get oriented to the IdP with an eye toward SP testing

Marvin

Phil

• plexus-io-3.4.2 released with a key from a known individual.

  • Although no new release of maven-javadoc-plugin that uses that yet. And overriding versions non-trivial.

    • (As Ian noted) Should be easier to override a plugin dep version than exclude transitive dependencies.

• https://shibboleth.atlassian.net/browse/JDUO-82- Some amendments to that.

• Strategy to release commons 3.0.1. Happy to do this if the email makes sense. Release stuff already on the agenda.

• https://shibboleth.atlassian.net/browse/JOIDCRP-53

  • My fault, but I should have put those two user-controlled files into oidc-config.

  • Need to think about versions, compatibility, updates etc.

• https://shibboleth.atlassian.net/browse/JWEBAUTHN-1

  • 2FA flow working. Off logic that needs review

  • Usernameless flow working.

  • Passwordless flow in progress

    • Working on username input

  • Then, integration into Storage API.

Rod

• Starting to kick the wheels on non web use of Thymeleaf

• Hope to restart the discussions about WiX v4 in the next 2 weeks

Scott

• https://shibboleth.atlassian.net/browse/JDUO-80 and subtasks

  • UI has been thrashing a lot but I think things have mostly settled

  • Docs are mostly done, need to get more detail in about the defaults and implications in terms of Duo features

  • IDP-2220: Add username caching for login formClosed

• Keeping up with minor 5.1 backlog

Tom

• Safari tests

Other