Shibboleth Developer's Meeting, 2025-02-21

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2025-03-07. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

• (rdw) Can we get out from under WiX (windows installer)?

Attendees:

Brent

• JSATTR-6: SAML AttributeQuery DataConnectorOpen

  • Working on the SimpleAggregation case, similar to the SP one.

Daniel

• Working on ldaptive release to address netty CVE. Nothing to report today.

Henri

• JOIDC-222: Support for OpenID FederationIn Progress

  • Initial support for automatic registration in the PAR endpoint now works

    • The claims set serialized within request_uri contains the trust chain reference → enforces authorize endpoint to use the same

    • Some refactoring in authorize-endpoint: request_uri needs to be deserialized before metadata-lookup

  • Initial flow tests for automatic registration via PAR and authorize endpoints committed

    • Still very simple - more advanced cases TBD: multiple trust chains, filtering via trust marks, etc

  • Next up

    • Explicit registration

Ian

• xmlsectool v4

• Java versions

John

Marvin

Phil

• Still working through the WebAuth 1.1.0 issues, these are left:

  • JWEBAUTHN-32: add a Last Used field to registration and management viewsIn Progress - requires the interface update (which I will do with the default method approach)

  • JWEBAUTHN-44: Document approach for conditionally requiring 2fa for the registration flowIn Progress - exposed the forceAuthn property of the admin flows (which I forgot to do in v1). Adding a guard that can be used to ensure some kind of strong auth was used to authenticate to the admin flow after you have registered a FIDO2 credential.

• And the new one

  • JWEBAUTHN-46: the management view shows canonical username instead of the one that was searched forIn Progress : should be easy this one.

• Hopefully, complete them and run them through some e2e testing next week ready for a release.

Rod

• CPPSP-8: WinHTTPRemotingService DevelopmentOpen/

  • Currently struggling with Chunked transfers (not needed but important to bottom out while I have that stuff swapped in)

  • Stubbed callback for server cert validation

  • But also need to check that this is enough.

Scott

• IdP 5.2 backlog work

• Working on several issues related to subjact c14n to address various messy aspects of the original “single chain of c14n flows” design, which was…idiotic would be the polite term.

  • Moving in the direction of “define c14n flow, define (or reuse) bean to represent it, specify property per login flow that names one or more beans to use”.

  • Effectively a property-based chain per use case.

  • Will allow, among other things, > 1 copy of e.g. the attribute-sourced c14n flow to be attempted for different use cases.

  • Still working on compatibility questions, but if the code holds it would default to installing the original legacy list of beans, suffixed with any free standing beans not in that list, which should retain existing behavior (I think).

Tom

• tests and Java updates, absent for call

Other