Shibboleth Developer's Meeting, 2025-03-07

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2025-03-21. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

Attendees:

Brent

• JSATTR-6: SAML AttributeQuery DataConnectorOpen

  • Only slow progress, nothing significant to report.

Daniel

Henri

• JOIDC-222: Support for OpenID FederationIn Progress

  • First prototype for explicit registration flow getting ready

    • High-level comparison to the standard OIDC dynamic registration: clients need to be part of a trusted federation instead of presenting the registration access token

    • Most of the SWF actions from the existing dynamic registration flows can be reused

  • OpenID Federation Interop Event in the end of April

  • Next up

    • Finalise the explicit registration flow

    • Lots of work to be finished on details: metadata policies (merging, constraints), trust mark delegation, etc

Ian

• xmlsectool v4

John

• SSPCPP-1007: Reconcile libmemcached-devel dependency across BuildRequires and DockerfileResolved

• SSPCPP-1008: mod_shib linking to libldap on Rocky 9In Progress

• Image bumps: AL2/2023, RHEL8/9

Marvin

Phil

• WebAuthn v1.1.0 ad-hoc manual testing looks good.

  • Will document it and look to release it next week.

  • Plenty of WebAuthn things that can be worked on, but should probably change focus for a bit?

• Some things I really need to clear up:

  • JDUO-92: Update duo_universal_java to version 1.2.0In Progress

  • JOIDCRP-67: Automate tests against the OIDC conformance suiteOpen

  • JOIDCRP-66: Expose c14n flow list, so it can be separate from the internal listClosed

  • IDP-2339: CSRF failure from Edge on iOSClosed

    • Probably needs rebasing, review, and merging.

    • others…

  • Some feature enhancements:

    • JOIDCRP-62: Add Pushed Authorization Requests endpoint Open

Rod

• nothing

Scott

• IdP backlog

• Wrapped up a redesign of c14n, did some additional refactoring to make Spring config simpler, added “function” variant, updated docs as best I could for now.

  • New features:

    • optimized away use of webflow in most cases

    • eliminated future need for another special “list” bean

    • allow for multiple copies of a given c14n method to run

    • support property to specify which c14n method to use for a given login method

• IDP-2351: Allow per-AuthenticationResult lifetime/timeout policiesResolved

  • Definitely will support this for MFA and External, not sure yet what other methods could effectively make use of it, though MFA scripting may be able to override the settings on the results it obtains pretty easily. The result objects are kind of odd, being somewhat immutable but more by happenstance as to when they get serialized.

Tom

• tests (long-running) and AMI updates

Other