Shibboleth Developer's Meeting, 2024-08-16

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-09-05. Any reason to deviate from this?

60 to 90 minute call window.

This week's call will use the Zoom system at GU, see ZoomGU for access info.

Add items for discussion here

https://shibboleth.atlassian.net/browse/OSJ-408
- Sadly the issue is confirmed. Leading spaces on header lines does break private key and cert parsing.
- Happily naked base64-encoded DER (e.g. metadata) seems unaffected.
SAML AttributeQuery attribute resolver
- Re-familiarizing with the DataConnector and Attribute APIs

- Also moved the subflow-call to outbound interceptor flows after the response has been built, but before the encoding to HTTP response
- The implementation should now cover the spec
- Final missing feature was to require DPoP-binding of refresh tokens for public clients, but still enable bearer access token issuance
- TODO to investigate more if we could solely do minor updates of the Nimbus stack to avoid oidc.common -module incompatibilities
- Started with the Entity Configuration endpoint
- Following Nimbus refactoring for their fed-implementation:

Nothing new to report
Next up in no particular order:
- Remove SPEC support for SUSE, and maybe old RHEL versions too
- Copy/sign build targets
- Keep builder images in ECR

WebAuthn version 1 release.
- Did not release v1, moved to a release candidate instead, version 1 expect end of august or early september
- Issues caught while testing the beta:
  - Random number generation using SecureRandom.getInstanceStrong() used the NativePRNGBlocking type. Which can hang on use.
  - Client-side storage was not being read from or written too properly for the admin flows. Affecting deployments which wanted to store credentials in the browser, which is not the default.
  - Some additional logging and property cleanups.
Possible WebAuthn next steps after v1:
- - Support HTTP APIs for registration
- - Support the draft WebAuthn extension to limit key generation to those bound to a device i.e., those that do not sync, so excluding things like iCloud Keychain. This might be important in enterprise deployments.

Jetty plugin now installs jet and a bat/sh file to run it from a command line: Volunteers for unix testing
Developing some ideas on using it to replace the windows installer
- It hinges on making the windows installer a shell around plugin -I net.shibbleth.idp.plugin.jetty
- The amount of work will depend on how lenient the customers will be (so we will need to engage with them)
- But first I want to get all the post install configuration script driven (if possible)

IdP patch
- Metadata gen still broken, but not planning to rush that out. Suggesting we fully deprecate that for 6.0 and build a new online flow to generate IdP metadata after install if desired.
SP development
- Most of SAML 2 initiator working, supporting options from profile config combined with agent input, subject to policy
- Working on “state token” management implementations for RelayState, have untested versions using StorageService and cookies as in current SP
  - Don’t see a practical way to avoid exposing resource URLs to the hub, though I’d rather that weren’t a requirement, though in principle an agent could build more code inside itself to mask them, I just don’t intend to.

might miss the call
have a plan for fixing the consent issues
- - attribute-release template needs a little work after the accessibility changes
- - will probably add a simple action to validate that all attributes are consented to when per-attribute is false