Shibboleth Developer's Meeting, 2025-03-21

Call Administrivia

09:00 Central US / 10:00 Eastern US / 14:00 UK / 16:00 FI (Note US times are the same as usual, others are not due to time zones.)

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2025-04-04. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. 5.1.4 patches

   1. Status

   2. One question…do we bump xmlsec on the branch? I moved to 3.0.5 for main a short while ago.

Attendees:

Brent

• OSJ-427: Simple signature verification fails to detect parameter smugglingClosed

  • Spring wiring of HTTP request validators done for SAML 1 and 2 requests, SAML AuthN still pending

  • Working on decoder + handler changes as discussed

Daniel

Henri

• JOIDC-222: Support for OpenID FederationIn Progress

  • Initial (partial) implementations now exist for both automatic and explicit registration

  • Trust chain and metadata resolution is done by OP itself

    • Involves many HTTP calls, metadata policy merging, enforcement, trust mark validation, etc

  • Work in progress for the alternative resolution methods:

    • Trust chain pushed in the request (request object or explicit registration request)

      • Metadata resolution still done by OP

    • Resolution via Resolve Entity API

      • Request: entity subject and trust anchor ID

      • Response: trust chain, metadata (and trust marks)

Ian

• xmlsectool v4.

  • Hit a regression in PKCS#11 handling which was introduced by xmlsec 3.0.3.

  • Hopefully we can get some real user testing next week if this is resolved.

• Guava update(s).

• Spring Framework update.

John

• Nothing to report

Marvin

Phil

• WebAuthn 1.1.0 release

• Some other tasks:

  • JDUO-92: Update duo_universal_java to version 1.2.0In Progress

    • Probably looking to release a new DuoOIDC patch or minor in the next few weeks.

  • CSRF merge

  • Going to take a scan of the RP next week.

Rod

• nothing

Scott

• SP patch postmortem

  • If we do another API bump, I probably will implement the “better” fix and track a signature string constructed in the decoder inside the SecurityPolicy object, which holds per-request state, and just do the verify step in the rule class.

• IdP 5.1.4 backporting

• IdP 5.2 backlog work cont.

Tom

• nothing

Other