Shibboleth Developer's Meeting, 2024-08-02

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-08-16. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

Add items for discussion here

Attendees:

Brent

Daniel

Henri

• Back online next week

Ian

• XML processing, and specifically signatures, in Java. May need some explanation time; looking for insights.

John

• SSPCPP-989: shibboleth-3.4.1-4.amzn2023.x86_64 package - missing /etc/rc.d/init.d/shibdClosed

• SSPCPP-987: Packages for amazon linux 2023 contain don't install systemd service fileClosed again

• SSPCPP-990: Amazon 2023 builds without systemd supportClosed

  • Wherein @Scott Cantor and I begin to consider the relationship among the cpp-linbuild Dockerfiles, the cpp-linbuild SPEC files, and the “upstream” SPEC files (i.e. maintained in each component’s source tree).

• A dividend of this mess is some additional infrastructure I spun up in my own AWS account for testing SP RPMs. The testing is still a manual affair, but at least I have a way to smoke test installs, upgrades, and service start/stop essentials. I had been looking at Docker as a way to do some of that. Its fundamental orientation toward wrapping a single process limits its usefulness to installs and upgrades. That’s not nothing. It’s just not clear pursuing Docker-based automated testing would be worthwhile.

• Also some of the usual minor maintenance on base Docker images:

  • amazonlinux2 → 2.0.20240719.0

  • amazonlinux2023 → 2023.5.20240722.0

  • rhel8 → 8.10-1020

  • rhel9 → 9.4-1181

  • rhel8/rhel9 can now build on aarch64, too

Marvin

Phil

• Away for a week.

• More unit tests and integration tests for WebAuthn plugin

• Away again on the 19th of August for 10 days, so will target that for version 1.0 of the WebAuthn plugin.

Rod

• Its all about Jetty

  • Build jetty 12.0.12.0 msi installer and its in nexus

    • What do we want to do about announcing this?

    • Note that there is a jetty-base and a jetty-base-windows group. Is this correct?

  • Extend plugin framework to handle “packages”

    • I think I can check this in

  • Build a jetty-base plugin

    • Is this real enough to warrant a real (non dev) class branch?

Scott

• Amazon2023 redux

• IdP patch release to fix a filter order issue preventing SameSite and Response headers with some configurations

  • Don’t use Collection-typed APIs when autowiring ordered objects

  • Hit an issue with some integration tests, turned out to be an oddity in the tests

• Work ongoing on SP SAML POC code for generating AuthnRequest, unit tests coming along

  • Still working out agent/hub boundary, e.g. how paths are mapped to functionality like the SAML ACS, needed by hub to produce AuthnRequest since it contains the ACS

  • Since client requests with SAML or OIDC responses are already buffered to be sent to hub for processing, we can look at moving to the long-desired single endpoint model where all protocols and bindings are processed by a single URL (could support the legacy SAML 2 endpoint for compatibility).

  • Thinking that the agent should map URL paths to remote calls to the hub and leave as much URL processing as possible out of the hub and left to the agent

    • Allows local agent-based choices about paths and URL space to fit an agent’s scenario

    • Does mean SP metadata depends on agent choices, but perhaps URLs could be fed into hub to allow it to generate metadata as a deployment tool

Tom

• Made progress on automating the OIDC OP Conformance Suite tests

  • putting on hold while looking at consent issues

  • kinda hacky since Conformance tests use Python - but they seem to work

• Need to refresh the snapshot singing key (thanks Phil)

• Comments as a deployer :

  • OIDC Common plugin - are there release notes ? plugin.sh says an update is available but as a deployer idk how to figure out what’s changed - maybe we could a link to Jira or ? not a big deal

    • (PS) should be these OIDCCommonReleaseNotes - Identity Provider Plugins - Confluence (atlassian.net)?

  • Should I upgrade the OIDC Common plugin from 3.1.0 to 3.1.1 before or after upgrading the IdP from 5.1.2. to 5.1.3 ? maybe we need an Upgrading wiki page for IdP Plugins

  • Trust - when I see this, how do I decide to trust the key ?
    
    

    INFO - Plugin net.shibboleth.idp: Trust store folder does not exist, creating INFO - Plugin net.shibboleth.idp: Trust store does not exist, creating INFO - TrustStore does not contain signature 0x378B845402277962 INFO - Downloading http://shibboleth.net/downloads/PGP_KEYS Accept this key: Signature: 0x378B845402277962 FingerPrint: DCAA15007BED9DE690CD9523378B845402277962 Username: Scott Cantor <cantor.2@osu.edu> [yN]

Other