Shibboleth Developer's Meeting, 2024-03-01

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-03-15. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Release schedule - give it another week for final testing?

   1. Firm freeze next Monday, March 4th. Week for testing and bug fixing, release the week of March 11th.

2. Jetty 12

3. Checkstyle – any changes warranted after the release? Move to remote config perhaps?

4. WebAuthn alpha announcement

   1. Add SHIBBOLETH_SNAPSHOT_PGP_KEYS download example to the Plugin testing page

5. Board update

Attendees:

Brent

• Fun with the Eclipse Checkstyle plugin

• Santuario 3.0.4 issue

Daniel

Henri

• JOIDC-13: Support for OIDC LogoutClosed

  • Conformance suite tests passing with IdP 5.0 (with two Velocity template changes) and with 5.1 (no changes)

  • Initial documentation drafted at OPLogout

• JOIDC-182: Spurious warning "File resource is null, no bytes will be returned"Closed

  • Changed the wiring to exploit ConditionalResource

  • JCOMOIDC-102: Implement metadata cache loading strategy for generic resourcesClosed

Ian

• Dependencies for v5.1 in decent shape:

  • Santuario 3.0.4 breaks our tests (OSJ-400: Failure in OpenSAML tests with Santuario xmlsec 3.0.4Open )

  • Looking into bumping logback and Jackson to their next minors (have updated to latest patch)

  • Skipping test and build dependencies for now.

  • commons-dbcp2 is two minors behind, but updating to the very latest brings in new keys.

John

• No updates. Still up to my eyeballs in competing demands for my attention.

Marvin

Phil

• Commons:

  • JCOMOIDC-101: Fix Principal typing issue in profile config default implementationClosed - Scott found an issue with the IdP which needed fixing in commons

• ODIC RP

  • JOIDCRP-56: map OIDC ACRs to SAML authnContexts in proxied authentication?Closed - Same as IDP-2251 but for the RP.

  • JOIDCRP-54: Arbitrary claims to requestClosed - Added a hook to allow arbitrary claims to be added to the request object

• DuoOIDC

  • Duo passwordless videos

• WebAuthn

  • JWEBAUTHN-2: Add the WebAuthn plugin to JenkinsClosed - Thanks Tom (Jenkins work) and the Yubico guys (Signature work), this is now running and deploying to Nexus.

  • Fixes, ready for alpha on agenda

  • Maybe we should target 5.1 to enable the username caching support.

Rod

• Nothing of note

Scott

• 5.1 cleanup and testing

  • IDP-2251: Map OIDC ACRs to SAML AC classes in proxied authenticationClosed

    • This does break something that was accidentally working but not strictly intended to, I don’t see an alternative at this point.

• Duo Passwordless bug fixing

• Support time ramping up with people finally moving to 5.0

• JTHYMELEAF-2: Try to get Keys for Thymeleaf related jarsOpen

  • No response from the developer

• SP – reviewing state of my POC code and reconfiguring to explore the idea of an IdP plugin model

• Santuario – as expected, mostly a couple of people suggesting it’s better to fork it than keep it at Apache

Tom

• IDP-2243: Initial OIDC OP testsOpen not enabled yet, but basic SSO test working via Jenkins

• assert keyword ? needs to be enabled at runtime with -ea ? (Ian: I think when we looked at this last time the conclusion was that assertions weren’t enabled by default at runtime, so shouldn’t be relied on for functionality. I believe we determined that they are enabled during tests, so they can be used instead of Assert when appropriate.)

Other