Development Progress

Page to keep tabs on the work that’s been done pending using Jira to start tracking individual work items.

Java Progress

  • SP project converted to an IdP plugin runnable in the testbed, also a SAML plugin adding the SAML protocol support.

  • A functional “probably not too far off the final proposal” AgentResolver service is built with some config samples for wiring up Agents, Applications, and the RelyingParty/Profile beans into them.

  • An abstract SP flow is built that handles secret-based agent authentication via HTTP Basic-Auth supporting secrets attached via Spring and our various password CredentialValidators, mostly untested except for the Spring case.

  • Java session is used to cache record of authentication for fast reuse.

  • Agents can specify “basic” or null authentication methods, the latter skipping all of the auth logic but still doing address check.

  • Decoding and Encoding of request and response DDF objects is done, bypassing the MessageContext model in order to prevent the overlap later to use those for SSO protocol messages.

  • Some error handling mocked up and tested that returns any error event in a simple DDF structure to the agent in a “result“ member.

  • A ping flow (inheriting from the abstract SP flow) with a dummy action that adds the epoch to a long field in the output.

  • A parse-request-map flow to parse the RequestMap element for an agent. An updated schema and namespace that covers most, but not all, of the old RequestMap syntax is being used. Once the specific supported options settle we’ll change that to reflect current practice. This may not survive as there is another option being reviewed for use in parsing the config and allowing use of simple XML in a few places like this.

    • curl -k -X POST -H "Content-Type: text/plain" --data-binary @sp-server-impl/src/test/resources/net/shibboleth/sp/config/impl/example-map.ddf -u sp.example.org:foo https://localhost/idp/profile/sp/parse-request-map

      • Notably I don’t know how sensitive this will be to non-binary commands. ASCII probably works since the input data is all ASCII already.

      • The XML itself should be ok in any valid XML encoding, ASCII or UTF-8 of course being the norm.

  • A storage flow to perform remoted StorageService operations on behalf of the agent. Contexts are auto-qualified by the agent ID to prevent overlap.

  • A sealer flow to peform encrypt/decrypt operations using a DataSealer. Data is auto-qualified by the agent ID to prevent misuse of data.

  • A session initiator flow to drive an extensible set of subflows in Application-controlled order to generate a login request for an agent to send back to the user agent.

    • A SAML 2.0 POC session-initiator subflow reusing “most” of the logic from the IdP’s proxying support and generic function for signing, encryption, and message encoding. Only one minor OpenSAML addition required so far to allow metadata to be sourced via the active Application interface instead of statically injected.

  • A token consumer flow to drive an extensible set of subflows in Application-controlled order to handle SSO responses. First subflow indicating it can proceed wins.

    • A SAML 2.0 POC token-consumer subflow reusing the back-half of the IdP’s proxying support for decoding/validation of the response, followed by new logic to extract data and encode the results into output for the agent with a redirect to the original resource.

Agent Progress

  • Branched cpp-sp repository (maint-3 for the current SP, main for the new work).

  • Removed:

    • Apache < 2.4 support and removed all legacy code for those versions

    • shibd, memcache, ODBC, ADFS, NSAPI support from build and deleted sources

    • various utilities from the build

    • plugins project from the build while retaining a few source files for future adaptation

    • TransactionLog code

    • AttributeFIlter, AttributeResolver, AttributeExtractor, AttributeDecoder code

    • various attribute classes not expected to be used, likely the rest will follow

    • SP-specific Metadata and SecurityPolicy code.

    • various handlers not planned for V4 (SAML 1.1 and legacy WAYF support, outbound Artifact Resolution, External Auth hook, NameID management)

    • ProtocolProvider and code doing auto-generation of handlers based on rules about SAML

    • Transform, Cookie, and Form SessionInitiators

  • Renamed shibsp-lite to shibsp and eliminated the “full” variant, removing the non-lite material from the configure script.

  • Built Boost-backed PropertySet implementation with some slight changes from the model used before. Unit tested some approaches with both ini and XML formats that should be suitable for the “master” configuration and the more complex hierarchical needs of the RequestMap.

  • Ported small subset of log4shib over into a new logging API, initially just the Category front-end to allow the existing code to mostly be ported to it easily, and a new back-end SPI that we can code to for predefined output scenarios.

    • Console and syslog POCs done

  • Started building AgentConfig as a replacement for SPConfig and unit tested basic startup/shutdown with some logging

  • Migrated various xmltooling-housed classes up into SP that are known to be needed