2024-02-16
- Rod Widdowson
- Scott Cantor
- Henri Mikkonen
Shibboleth Developer's Meeting, 2024-02-16
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-03-01 Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
Rod: IDP-2242 Can/Should we stop using “Unsupported” and rely instead on SECADV/OutOfDate/Current
5.1 freeze schedule
Feature freeze on 2/26, code freeze 3/4 and release that week if possible
Santuario (C++) future
Will make a proposal for a cut down V3 either at Apache if accepted, or we close it down, and fork if not (at which point it’s optional for us to do if we want).
Attendees:
Brent
OSJ-391: Default supported TLS protocols appears too broadClosed
Think this is done? Leave defaults as they are now?
OSJ-392: OpenSAML's strict processing mode does not load ADFS metadataClosed
Think I have a workable solution for the role descriptor adapter issues (mutable collections, and setters which throw). Need to test, mindful of the freeze timing.
Daniel
Henri
JOIDC-186: Support additional refresh token typesClosed
The JWT refresh token seems to be working as expected in test deployments
JCOMOIDC-96: Support custom/additional metadata policy operatorsClosed and JOIDC-196: Enhance metadata and unregistered client policy config optionsClosed
Working OK for both metadata policies (in registration) and unregistered client policies
Do we want to make a scriptable abstract bean for custom policy operator ?
JCOMOIDC-99: Metadata policy merging misses subordinate values with some operatorsClosed
Found when integrating the custom operators (above) to the merging function
Automated logout testing scripts still need to be fine-tuned for minimal template changes
Polishing and minor changes before minor release - and NonNull-work..
Ian
John
Marvin
Phil
RP developments
JOIDCRP-54: Arbitrary claims to requestClosed
Hook to add arbitrary claims into the signed Request Object.
JOIDCRP-51: Translate nonexistent ACR in responsesIn Progress
Allowed the RP to send empty ACR and AMR claims to the translators. The translation function can be overridden with their own.
WebAuthn developments:
JWEBAUTHN-2: Add the WebAuthn plugin to JenkinsClosed Missing 1 key for cose-java. It looks like Emil has eliminated that dependency from the Yubico libraries, and will be releasing a patch release (2.5.1) very soon. When we grab that, we will not need the key.
Lots of cleanups.
A decent amount of work on the registration process.
Username and password authentication to first register a WebAuthn credential, but WebAuthn flow is required once you have one.
Requires username collection as a first step in the registration flow.
Adding attestation support even if not used initially.
Rod
EDS: We have had three patches submitted. New release?
IDP-2240: Improve adding attributes to viewsClosedNew helper class with 6 methods - any more needed?
IDP-2242: We need to rationalize the use of plugin categories.Closed (agenda)
IDP-2236: Update Jetty base for windows installer to Jetty 10/11.0.20Closed - I plan to use this to write the documentation
Other IdP Bugs
Scott
Grant proposal was submitted by Jisc.
Met with Duo regarding Passwordless, follow up planned prior to finalizing
Thymeleaf plugin - think this is in a satisfactory place for the release
https://shibboleth.atlassian.net/browse/IDP-2233
Will consider whether there’s more worth doing but probably good enough for now.
https://shibboleth.atlassian.net/browse/IDP-2245
Noting this only because I did do the initializer refactor to use the new shared base class. I can’t see this causing problems but I’ll want to test that on my dev system before we freeze.
Tom
OIDC tests : looking for example / test flows (as discussed on Slack, thank you)
nit : maybe add link to source on wiki pages for IdP plugins
Other