2024-08-02
Shibboleth Developer's Meeting, 2024-08-02
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-08-16. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
Add items for discussion here
Attendees:
Brent
Daniel
Henri
Back online next week
Ian
XML processing, and specifically signatures, in Java. May need some explanation time; looking for insights.
John
SSPCPP-989: shibboleth-3.4.1-4.amzn2023.x86_64 package - missing /etc/rc.d/init.d/shibdClosed
SSPCPP-987: Packages for amazon linux 2023 contain don't install systemd service fileClosed again
SSPCPP-990: Amazon 2023 builds without systemd supportClosed
Wherein @Scott Cantor and I begin to consider the relationship among the
cpp-linbuild
Dockerfiles, thecpp-linbuild
SPEC files, and the “upstream” SPEC files (i.e. maintained in each component’s source tree).
A dividend of this mess is some additional infrastructure I spun up in my own AWS account for testing SP RPMs. The testing is still a manual affair, but at least I have a way to smoke test installs, upgrades, and service start/stop essentials. I had been looking at Docker as a way to do some of that. Its fundamental orientation toward wrapping a single process limits its usefulness to installs and upgrades. That’s not nothing. It’s just not clear pursuing Docker-based automated testing would be worthwhile.
Also some of the usual minor maintenance on base Docker images:
amazonlinux2 → 2.0.20240719.0
amazonlinux2023 → 2023.5.20240722.0
rhel8 → 8.10-1020
rhel9 → 9.4-1181
rhel8/rhel9 can now build on aarch64, too
Marvin
Phil
Away for a week.
More unit tests and integration tests for WebAuthn plugin
Away again on the 19th of August for 10 days, so will target that for version 1.0 of the WebAuthn plugin.
Rod
Its all about Jetty
Build jetty 12.0.12.0 msi installer and its in nexus
What do we want to do about announcing this?
Note that there is a jetty-base and a jetty-base-windows group. Is this correct?
Extend plugin framework to handle “packages”
I think I can check this in
Build a jetty-base plugin
Is this real enough to warrant a real (non dev) class branch?
Scott
Amazon2023 redux
IdP patch release to fix a filter order issue preventing SameSite and Response headers with some configurations
Don’t use Collection-typed APIs when autowiring ordered objects
Hit an issue with some integration tests, turned out to be an oddity in the tests
Work ongoing on SP SAML POC code for generating AuthnRequest, unit tests coming along
Still working out agent/hub boundary, e.g. how paths are mapped to functionality like the SAML ACS, needed by hub to produce AuthnRequest since it contains the ACS
Since client requests with SAML or OIDC responses are already buffered to be sent to hub for processing, we can look at moving to the long-desired single endpoint model where all protocols and bindings are processed by a single URL (could support the legacy SAML 2 endpoint for compatibility).
Thinking that the agent should map URL paths to remote calls to the hub and leave as much URL processing as possible out of the hub and left to the agent
Allows local agent-based choices about paths and URL space to fit an agent’s scenario
Does mean SP metadata depends on agent choices, but perhaps URLs could be fed into hub to allow it to generate metadata as a deployment tool
Tom
Made progress on automating the OIDC OP Conformance Suite tests
putting on hold while looking at consent issues
kinda hacky since Conformance tests use Python - but they seem to work
Need to refresh the snapshot singing key (thanks Phil)
Comments as a deployer :
OIDC Common plugin - are there release notes ? plugin.sh says an update is available but as a deployer idk how to figure out what’s changed - maybe we could a link to Jira or ? not a big deal
(PS) should be these OIDCCommonReleaseNotes - Identity Provider Plugins - Confluence (atlassian.net)?
Should I upgrade the OIDC Common plugin from 3.1.0 to 3.1.1 before or after upgrading the IdP from 5.1.2. to 5.1.3 ? maybe we need an Upgrading wiki page for IdP Plugins
Trust - when I see this, how do I decide to trust the key ?
INFO - Plugin net.shibboleth.idp: Trust store folder does not exist, creating INFO - Plugin net.shibboleth.idp: Trust store does not exist, creating INFO - TrustStore does not contain signature 0x378B845402277962 INFO - Downloading http://shibboleth.net/downloads/PGP_KEYS Accept this key: Signature: 0x378B845402277962 FingerPrint: DCAA15007BED9DE690CD9523378B845402277962 Username: Scott Cantor <cantor.2@osu.edu> [yN]
Other