Shibboleth Developer's Meeting, 2024-05-03

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-05-17. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. External testing

   1. Long discussion, some takeaways:

      1. We have at least a couple of people that either do test or would test release candidates if we were more clear on them.

      2. We should start being more proactive about publishing project updates to the dev list, and producing near-term status/schedule updates for people to help awareness of where things are in the cycle.

      3. Long-term, it might be nice to have a staging repository with access control for non-public access to releases for early access, maybe as a member benefit. Will discuss with Board.

      4. Once we automate more of the release process, formal beta or RC releases might make some sense.

      5. In the meantime, we should put together some kind of web page via scripting to let us attach status information for each product with pointers to the relevant snapshots in Nexus, so seeing where things stand and how to grab them would be easy for people. Exposing that in structured form might make sense too.

Attendees:

Brent

• OSJ-400: Failure in OpenSAML tests with Santuario xmlsec 3.0.4Open

  • Did my detailed review last week, looked fine. The original committer had been waiting on Sean to review, that appears to have happened yesterday. Will run our tests against a local build of their SNAPSHOT to confirm.

Daniel

Henri

• JOIDC-200: Support for OAuth2 Pushed Authorization Requests (PAR)Resolved

  • More or less functional already, lacks polishing and testing

  • TODO: public client support, verify unregistered client support

• JOIDC-201: Support for OAuth 2.0 Demonstrating Proof of Possession (DPoP)Resolved

  • Started with the DPoP Proof JWT validation (PAR and token endpoints)

Ian

• On asymptotic approach to MDA 0.10.0

John

• Minor maintenance: cpp-linbuild Docker image bumps for RHEL7, AZL2, AZL2023.

• RHEL 9.4 is GA as of 2024-05-01

Marvin

Phil

• JWEBAUTHN-11: Pull identity information from the AttributeResolver during registrationClosed

  • There is now a strategy you can enable to pull the WebAuthn user.id and the user.displayName from the AttributeContext. There are also defaults if you do not want to do that, or you can supply your own.

• JWEBAUTHN-8: Add an admin flow suitable for an sys admin to manage other users keysClosed

  • There is a basic admin flow for querying for, listing, and removing user credentials.

• Trying to cleanup the WebAuthn documentation.

• I think we can go for a V1 beta in the next few weeks.

  • Still need to think more about storage.

• Duo videos

Rod

• Nothing.

• Next up: Jetty 12 for Windows. Looking for significant simplification in the packaging

Scott

• Draft of roadmap proposal done, sent to Board for review

• “Final” Duo passwordless cleanup, adding admin flow for cookie manipulation and a few odds and ends.

• Set up an EC2 build host for the SP (x86 for now), eventually will want this to be usable by others in case I’m incapacitated.

• Returning to SP prototyping as to implications of making it a plugin

  • Per Slack, diagnosed an issue with the Spring socket gateway, not proving to be robust

  • Lots of factors steering back toward using HTTP for remoting, despite impact on Apache agent

    • Some thinking on agent call security

  • Starting to think about the config implications of serving multiple agents from one hub

    • IdP doesn’t really allow software-aware virtual hosting but multiple agents means the SP would need to

    • Impact on configuring behavior per-agent/application and per-relying-party

      • Considering alternative life choices

Tom

• Working on Jetty 12 integration tests as well as OIDC

Other