Shibboleth Developer's Meeting, 2024-02-02

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-02-16. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Brief update on grant proposal

2. Review of 5.1 work TBD

   1. Target perhaps 2/19 or 2/26 for a release…

3. Thymeleaf discussion

   1. Co-existence seems plausible, though doing as a plugin probably isn’t

   2. More control over view resolvers is a need

   3. Pending ability to verify keys, 5.1 is a possibility, if not it will have to wait for 5.2

   4. CSP seems difficult if not impractical but could be done via meta tags as a fallback

   5. In parallel, Marvin will consider work on redoing the default UI with more modern CSS tools, we can slip this in at any point that we’re happy with the work. TBD if that would be Thymeleaf only.

   6. If and when we have templates available, adding additional modules to install one set of templates or the other may be the best way to have them co-exist

4. (PS) Some TIIME updates if there is…time.

Attendees:

Brent

• OSJ-391: Default supported TLS protocols appears too broadClosed

  • Have a couple of solutions for the custom parser issue. Details in the issue. Not mutually exclusive.

Daniel

Henri

• Offline today, apologies

• Not too much progress since last meeting on technical tasks due to work on grant last week and TIIME this week

Ian

• Back on the MDA at last.

• Will probably try to prototype some of the transactional release idea when I come to release that.

John

Marvin

Phil

• WebAuthn

  • Adaptor to adapt the Credential Repository interface to the StorageAPI

  • Cleanups

  • Tom has been getting it into Jenkins

  • Very basic configuration documentation in progress.

Rod

• Not able to attend but may lurk for the first part.

• Mostly time spent looking at the non web part of Thymeleaf. I've shared my findings with Scott

• Started looking at the EDS patches from CNRS - accepted 2 of 3, expect to accept the third

• Next up is probably building a jetty installer for 10.0.18.with the new process

  • I'll document it

  • And get someone to test

  • Then do the same for 10.0.20

Scott

• Production javadoc release work, updated Java Product Release Process

  • https://git.shibboleth.net/view/?p=java-parent-project.git;a=blob;f=resources/maven/build-and-deploy-javadoc.sh;h=6cf7acae811be68704e72c1e1f8d9c8860f1c73e;hb=7fa7190187735f5d26c9d48466fac3cd06e4dbe5

• Prototyping Duo Passwordless in my real system

• Grant proposal last week

• Thymeleaf review

• More 5.1 backlog and new miscellany

Tom

• IDP-2228: Safari integration testsOpen making progress

• JWEBAUTHN-2: Add the WebAuthn plugin to JenkinsClosed probably should not use Jenkins pipelines for matrix jobs - we loose the UI table

• expiring-password nit : maybe the default config should include p:useUnfilteredAttributes="true" since it’s unlikely someone would be releasing their password expiration date as an attribute

Other