Shibboleth Developer's Meeting, 2025-02-07

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2025-02-21. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Board workshop post-mortem

2. More involvement in wider OIDFed pilot/planning work?

   1. (PS) We might also start a PoC in the UKFed.

3. (PS and Alex) For understanding, PQC experiments based on the research paper.

Attendees:

Brent

• JSATTR-6: SAML AttributeQuery DataConnectorOpen

  • A lot of progress since last call. Worked through Assertion validation issue and fleshed out the rest of the connector. Need to circle back on a few TODOs.

  • Some key strategy function plugins and unit tests still pending.

Daniel

• Nothing to report.

Henri

• OP 4.2.1 patch out last week to fix a minor regression bug related to logout propagation

  • Feels not feasible to fully cover this via flow tests (propagation flows are called via iframes)

• JOIDC-222: Support for OpenID FederationIn Progress

  • API endpoints (token, userinfo, introspection and revocation) can now be configured to exploit metadata caches

    • Authorization code and access/refresh tokens carry data about trust chain used for automatic registration

    • Token-endpoint was refactored to unwrap the grant (code or refresh token) before metadata lookup and client authentication

  • Initial flow tests exist for automatic registration in the authorization endpoint

    • Mockito seems to work with Spring XML too (mock HttpClient built via global.xml for tests)

    • I try to structure the new tests better than the existing ones (AuthorizeFlowTest and TokenFlowTest classes are 2k+ LOC each..)

  • Next up:

    • Automatic registration via PAR

Ian

• MDA 1.0.0

• xmlsectool 4.0.0

John

• SSPCPP-1003: Remove support for RHEL 6Resolved

• SSPCPP-1004: Remove support for Amazon Linux 1Resolved

• SSPCPP-1006: Support building RPMs for RHEL 10 (beta)Resolved

• Minor image bumps

Marvin

Phil

• JWEBAUTHN-43: evaluate credential policy rules for all tokens in store before authenticationClosed

  • Took a bit longer than I thought, as I wanted to get good test coverage of it

• JWEBAUTHN-37: Lookup user credentials from user handle expects user handleClosed

• JWEBAUTHN-42: credential policies are not evaluated for all keysClosed

• JWEBAUTHN-36: giving a username that does canonicalize to management search leads to uncaught exceptionClosed

• JWEBAUTHN-33: Make collecting nickname during key registration optional/configurableClosed

• Was hoping for a 1.1.0 next week. But looks likely to push into the week starting the 17th.

Rod

• SP Agents now build on Windows

  • Include ARM64

• Working on WinHttp Remoting

Scott

• SP primarily

  • Completed initial build and test of curl-based remoting service

  • Some research into (severe) limitations of TLS support on WinHTTP

    • Will have to copy curl’s schannel verifier to make it work (assuming we don’t back off and ship curl again)

  • Built new (much simpler) handler configuration approach for agents

  • Successful load/test of module and Status handler endpoint on Apache

  • Built a first cut at a protocol-neutral SessionInitiator handler

    • Back to Java to adjust existing work I did against changes made in that handler to be able to run a complete test

• Once SP reaches that point, will probably start on IdP and plugin backlog, which is getting substantial

Tom

• nada

Other