2024-08-02

Shibboleth Developer's Meeting, 2024-08-02

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-08-16. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

Add items for discussion here

Attendees:

Brent

 

Daniel

 

Henri

  • Back online next week

Ian

  • XML processing, and specifically signatures, in Java. May need some explanation time; looking for insights.

John

Marvin

 

Phil

  • Away for a week.

  • More unit tests and integration tests for WebAuthn plugin

  • Away again on the 19th of August for 10 days, so will target that for version 1.0 of the WebAuthn plugin.

 

Rod

  • Its all about Jetty

    • Build jetty 12.0.12.0 msi installer and its in nexus

      • What do we want to do about announcing this?

      • Note that there is a jetty-base and a jetty-base-windows group. Is this correct?

    • Extend plugin framework to handle “packages”

      • I think I can check this in

    • Build a jetty-base plugin

      • Is this real enough to warrant a real (non dev) class branch?

Scott

  • Amazon2023 redux

  • IdP patch release to fix a filter order issue preventing SameSite and Response headers with some configurations

    • Don’t use Collection-typed APIs when autowiring ordered objects

    • Hit an issue with some integration tests, turned out to be an oddity in the tests

  • Work ongoing on SP SAML POC code for generating AuthnRequest, unit tests coming along

    • Still working out agent/hub boundary, e.g. how paths are mapped to functionality like the SAML ACS, needed by hub to produce AuthnRequest since it contains the ACS

    • Since client requests with SAML or OIDC responses are already buffered to be sent to hub for processing, we can look at moving to the long-desired single endpoint model where all protocols and bindings are processed by a single URL (could support the legacy SAML 2 endpoint for compatibility).

    • Thinking that the agent should map URL paths to remote calls to the hub and leave as much URL processing as possible out of the hub and left to the agent

      • Allows local agent-based choices about paths and URL space to fit an agent’s scenario

      • Does mean SP metadata depends on agent choices, but perhaps URLs could be fed into hub to allow it to generate metadata as a deployment tool

Tom

  • Made progress on automating the OIDC OP Conformance Suite tests

    • putting on hold while looking at consent issues

    • kinda hacky since Conformance tests use Python - but they seem to work

  • Need to refresh the snapshot singing key (thanks Phil)

  • Comments as a deployer :

    • OIDC Common plugin - are there release notes ? plugin.sh says an update is available but as a deployer idk how to figure out what’s changed - maybe we could a link to Jira or ? not a big deal

    • Should I upgrade the OIDC Common plugin from 3.1.0 to 3.1.1 before or after upgrading the IdP from 5.1.2. to 5.1.3 ? maybe we need an Upgrading wiki page for IdP Plugins

    • Trust - when I see this, how do I decide to trust the key ?

      INFO - Plugin net.shibboleth.idp: Trust store folder does not exist, creating INFO - Plugin net.shibboleth.idp: Trust store does not exist, creating INFO - TrustStore does not contain signature 0x378B845402277962 INFO - Downloading http://shibboleth.net/downloads/PGP_KEYS Accept this key: Signature: 0x378B845402277962 FingerPrint: DCAA15007BED9DE690CD9523378B845402277962 Username: Scott Cantor <cantor.2@osu.edu> [yN]

Other