Shibboleth Developer's Meeting, 2025-04-04

Call Administrivia

09:00 Central US / 10:00 Eastern US / 14:00 UK / 16:00 FI (Note US times are the same as usual, others are not due to time zones.)

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2025-04-18. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Patch post-mortem

   1. OpenSAML advisory

2. Jenkins weirdness

3. OSJ-424: opensaml-bom forces the version of Spring FrameworkOpen

   1. Just noting it, seems like we need to plan on redoing it all again for V6.

4. (PS, if time) Some TIIME feedback.

   1. OpenID ‘Connect’ federations (Wallets out of scope for this)

   2. RP support is poor. So adapting ‘vanilla’ RPs to support OIDFed.

   3. Proxies in front of ‘vanilla’ OPs and RPs.

   4. Generating a list of OPs for OP discovery (and UI info which is all missing, filtering by trust_marks)

   5. Federation topologies, trusted trust make issuers

   6. As Henri says, resolvers that resolve and verify trust_chains and metadata policies (need to be performant).

Attendees:

Brent

• No progress to report this week; since the patch release had a GU deadline for yesterday.

• May have to step away from call briefly if maintenance guys show up.

Daniel

Henri

• Absent today, apologies

• JOIDC-222: Support for OpenID FederationIn Progress

  • Initial support for pushed trust chain support within explicit registration

    • Fits explicit registration “naturally”

    • Much more challenging fit to the automatic registration, unless we store the RP record state on server-side

      • We can’t really to store complete chain of entity statements (JWTs) inside the authorization code or tokens

  • Many good session about OIDfed at TIIME unconference

    • Nothing super surprising from our/software perspective

      • Clearly interest/demand for our resolve entity API implementation (not yet PoC’ed)

      • Perhaps explicit registration may be more important than initially thought

Ian

• xmlsectool 4 seems to be working with PKCS#11 again now, release next week

John

Phil

• OIDC RP Proxy 2.2.0 release

• TIIME unconference

• JCOMOIDC-127: Transcoding of object type of claim failsIn Progress

• JOIDCRP-71: Possible bug in setting clientId from properties fileOpen - the OIDC.SSO.MDDriven profile bean only exists in the OP.

• (Added) Duo dependency keys

Rod

• Working through idp backlog

• Getting ready to get back to WinHttp

Scott

• TOTP plugin patch (twice)

  • Make sure every authn flow has a conditional imported resource to allow people to add beans to the flow context.

• Thymeleaf plugin review

  • Based on changes in V5.1

  • Need enforcer data released, holding for Duo dependency keys

  • Probably need some examples to include in the plugin for existing views anyway…

• Returning to SP

  • Fleshing out token consumer endpoint, successfully tested a dump of session data returned from hub

  • Realized my logic to evaluate compatible bindings/decoders overlaps heavily with 5.1.4 servlet request validator addition, propose we add implementations of that to enforce method and content type and move the SP to leverage it

Tom

• https://shibboleth.atlassian.net/browse/IDP-2323

Other