Shibboleth Developer's Meeting, 2024-11-01

Call Administrivia

09:00 Central US / 10:00 Eastern US / 14:00 UK / 16:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-11-15. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

• RDW:JMVN-68: Remove signatures from the enforcer dataClosed

  • Mostly For locally signed artifacts no longer used (xercesImpl, xml-apis)

  • I am reluctant to remove anything from a Keystore just because it isn't being used right now

  • Ditto keystores themselves.

Attendees:

Brent

• JSATTR-6: SAML AttributeQuery DataConnectorOpen

  • Still coming along. Progress slow over last couple of weeks due to local Project From Hell.

• JSMD-11: Add support for HttpClient responseTimeout param to relevant componentsOpen

  • Completed for HTTP metadata resolvers.

• JSSH-55: Clarify behavior of new HttpClient responseTimeout parameterOpen

  • We discussed this as an open question and I opened this issue to track.

Daniel

• Nothing to report.

Henri

• JOIDC-222: Support for OpenID FederationIn Progress

  • DynamicMetadataCache (in oidc-common) based trust chain resolution

    • Signature validation via metadata filters (BiFunction -hook)

  • Finishing first prototype for automatic registration via PAR and authorize -endpoints

Ian

• Nothing to report.

John

• SSPCPP-994: Memcache introduced into RPM buildClosed

• SSPCPP-995: Remove intermediate per-component builder imagesResolved

Marvin

Phil

• JWEBAUTHN-27: Add basic authenticator policyOpen

  • Cleaning this up based on feedback.

  • Also cleaning up the registration and management UIs. Credentials can be labelled in the view. e.g.

    • 

  • Once merged into main, I will announce RC3.

• After RC3 is announced, I will switch contexts to work on:

  • WebAuthn Docs

  • the CSRF changes in the IdP IDP-2339: CSRF failure from Edge on iOSOpen

  • Updates to the Native Duo SDK JDUO-92: Update duo_universal_java to version 1.2.0Open

  • RP Automated tests against the OIDC conformance suite. I had a call with Henri about this, so I see a route forward

  • Think about HTTP APIs to the WebAuthn registration repository

Rod

• Bug squashing

• Jetty re-org (and fallout). No new testing

• Tracking the CPP code in the windows build

Scott

• IDP-2288: Injection of beans into BeanPostProcessor causes Spring warningsResolved

  • Replaced post processors with “property-specifiied class” indirection in Spring parser, deployer-compatible with original design

  • Had to redesign the ByReference metadata filter handling to preserve proper filter order

• SP 3.5 release, smooth apart from some older packaging mistakes

• Design breakdown for SP agent work

  • Native Agent Design/Development Plan

• Branched cpp-sp and started teardown of existing code base

  • Plan is to get as much torn out as possible before working back up to new or replacement code, but keep it building as much as possible.

  • Looking at unit testing to validate new development to defer the need to produce a working agent I can test against Java (same way I tested the Java without a working agent). Boost has a unit testing framework worth looking at.

Tom

• Thanks Henri - OP Conformance Suite tests pass for IdP 5.1.3 and V5

  • still need to work on the logout conformance tests

  • probably should test previous, current, and next versions of the OP plugin with both IdP 5.1.3 and 5.2

• Thanks Rod - Jetty Plugin tests a work in progress

• Back to working on IDP-2323 - consent invalid data

  • as I have mentioned, throwing the JsonException is trivial

    • looking at how that would affect storage record pruning and what to do with that “feature”

Other