Shibboleth Developer's Meeting, 2024-03-01

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-03-15. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Release schedule - give it another week for final testing?

   1. Firm freeze next Monday, March 4th. Week for testing and bug fixing, release the week of March 11th.

2. Jetty 12

3. Checkstyle – any changes warranted after the release? Move to remote config perhaps?

4. WebAuthn alpha announcement

   1. Add SHIBBOLETH_SNAPSHOT_PGP_KEYS download example to the Plugin testing page

5. Board update

Attendees:

Brent

• Fun with the Eclipse Checkstyle plugin

• Santuario 3.0.4 issue

Daniel

Henri

• https://shibboleth.atlassian.net/browse/JOIDC-13

  • Conformance suite tests passing with IdP 5.0 (with two Velocity template changes) and with 5.1 (no changes)

  • Initial documentation drafted at https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3466559581

• https://shibboleth.atlassian.net/browse/JOIDC-182

  • Changed the wiring to exploit ConditionalResource

  • https://shibboleth.atlassian.net/browse/JCOMOIDC-102

Ian

• Dependencies for v5.1 in decent shape:

  • Santuario 3.0.4 breaks our tests (https://shibboleth.atlassian.net/browse/OSJ-400 )

  • Looking into bumping logback and Jackson to their next minors (have updated to latest patch)

  • Skipping test and build dependencies for now.

  • commons-dbcp2 is two minors behind, but updating to the very latest brings in new keys.

John

• No updates. Still up to my eyeballs in competing demands for my attention.

Marvin

Phil

• Commons:

  • https://shibboleth.atlassian.net/browse/JCOMOIDC-101 - Scott found an issue with the IdP which needed fixing in commons

• ODIC RP

  • https://shibboleth.atlassian.net/browse/JOIDCRP-56 - Same as IDP-2251 but for the RP.

  • https://shibboleth.atlassian.net/browse/JOIDCRP-54 - Added a hook to allow arbitrary claims to be added to the request object

• DuoOIDC

  • Duo passwordless videos

• WebAuthn

  • https://shibboleth.atlassian.net/browse/JWEBAUTHN-2 - Thanks Tom (Jenkins work) and the Yubico guys (Signature work), this is now running and deploying to Nexus.

  • Fixes, ready for alpha on agenda

  • Maybe we should target 5.1 to enable the username caching support.

Rod

• Nothing of note

Scott

• 5.1 cleanup and testing

  • https://shibboleth.atlassian.net/browse/IDP-2251

    • This does break something that was accidentally working but not strictly intended to, I don’t see an alternative at this point.

• Duo Passwordless bug fixing

• Support time ramping up with people finally moving to 5.0

• https://shibboleth.atlassian.net/browse/JTHYMELEAF-2

  • No response from the developer

• SP – reviewing state of my POC code and reconfiguring to explore the idea of an IdP plugin model

• Santuario – as expected, mostly a couple of people suggesting it’s better to fork it than keep it at Apache

Tom

• https://shibboleth.atlassian.net/browse/IDP-2243 not enabled yet, but basic SSO test working via Jenkins

• assert keyword ? needs to be enabled at runtime with -ea ? (Ian: I think when we looked at this last time the conclusion was that assertions weren’t enabled by default at runtime, so shouldn’t be relied on for functionality. I believe we determined that they are enabled during tests, so they can be used instead of Assert when appropriate.)

Other