2024-10-18
Shibboleth Developer's Meeting, 2024-10-18
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-11-01. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
Nexus Coordinates for the jetty and SP plugins
Subquestion: Where does the “legacy jetty base” live
Plugin documentation proposal to move “most” of them into IdP doc space
(Lack of) timeout for HttpClient – any appetite to try to fix?
Plugin use of impl classes
Attendees:
Brent
Daniel
Henri
Finalising and documenting the OP 4.2.0 release
JOIDC-201: Support for OAuth 2.0 Demonstrating Proof of Possession (DPoP)Resolved
Final adjustments regarding nonces and some other details
Release (common 3.2, OP 4.2) scheduled for Wednesday
Ian
Spring Framework 6.2.0 GA expected mid-November.
John
No progress worth mentioning on ECR integration
Tested SP upgrade (3.4.1-6 → 3.5.0-1) on all supported platforms (x86-64 and aarch64) except CentOS 7 & 8
Marvin
Phil
JWEBAUTHN-27: Add basic authenticator policyClosed
Pretty much done testing, will merge than into main today.
Need to fix the newly structured wiki docs.
IDP-2339: CSRF failure from Edge on iOSOpen
Will look to add more options for token generation and look to only enforce on POST requests.
JCOMOIDC-115: Update Nimbus oauth2-oidc-sdk into 10.15Resolved
Will retest the RP and Duo, given there might be a release of this soon.
New tester of the RC.
Rod
Jetty plugin
Bug Squashing
Scott
Proposals for IdP doc improvement
SP 3.5 release
Waiting on final testing of RPMs before publishing
Xerces 3.3.0 and xml-security 3.0.0 tagged and released
Reviewing existing SP design notes to align to running code
Prep for beginning to work on agent development plan expecting possible external contribution to that work
Current state of things is to allow agents to act as any URLs because determination of entityID is entirely Java-side
Could still supply an unused callout for validation
SP’s auto-vhosting feature would be handled by moving generation of entityID to hub, so the entityID “pattern” remains controlled
Need to see if that assumption holds for OpenID
Tom
Seems like global.xml should be reloaded when any service is reloaded, since it’s … global ? or maybe it is
MFA : trying to use the authn/MFA flow as mechanism for failover - should step-up authn work ?
use case : want to failover to a backup authn flow (External) if the primary (SAML) is not available (e.g. disaster scenario)
MFA strategy is simple = always return primary authn flow unless a certain file exists, then return the backup authn flow
step-up MFA is not working > NoAuthnContext - what to do ?
Other