2025-04-04
Shibboleth Developer's Meeting, 2025-04-04
Call Administrivia
09:00 Central US / 10:00 Eastern US / 14:00 UK / 16:00 FI (Note US times are the same as usual, others are not due to time zones.)
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2025-04-18. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
Patch post-mortem
OpenSAML advisory
Jenkins weirdness
OSJ-424: opensaml-bom forces the version of Spring FrameworkOpen
Just noting it, seems like we need to plan on redoing it all again for V6.
(PS, if time) Some TIIME feedback.
OpenID ‘Connect’ federations (Wallets out of scope for this)
RP support is poor. So adapting ‘vanilla’ RPs to support OIDFed.
Proxies in front of ‘vanilla’ OPs and RPs.
Generating a list of OPs for OP discovery (and UI info which is all missing, filtering by trust_marks)
Federation topologies, trusted trust make issuers
As Henri says, resolvers that resolve and verify trust_chains and metadata policies (need to be performant).
Attendees:
Brent
No progress to report this week; since the patch release had a GU deadline for yesterday.
May have to step away from call briefly if maintenance guys show up.
Daniel
Henri
Absent today, apologies
JOIDC-222: Support for OpenID FederationIn Progress
Initial support for pushed trust chain support within explicit registration
Fits explicit registration “naturally”
Much more challenging fit to the automatic registration, unless we store the RP record state on server-side
We can’t really to store complete chain of entity statements (JWTs) inside the authorization code or tokens
Many good session about OIDfed at TIIME unconference
Nothing super surprising from our/software perspective
Clearly interest/demand for our resolve entity API implementation (not yet PoC’ed)
Perhaps explicit registration may be more important than initially thought
Ian
xmlsectool
4 seems to be working with PKCS#11 again now, release next week
John
Phil
OIDC RP Proxy 2.2.0 release
TIIME unconference
JCOMOIDC-127: Transcoding of object type of claim failsIn Progress
JOIDCRP-71: Possible bug in setting clientId from properties fileOpen - the OIDC.SSO.MDDriven profile bean only exists in the OP.
(Added) Duo dependency keys
Rod
Working through idp backlog
Getting ready to get back to WinHttp
Scott
TOTP plugin patch (twice)
Make sure every authn flow has a conditional imported resource to allow people to add beans to the flow context.
Thymeleaf plugin review
Based on changes in V5.1
Need enforcer data released, holding for Duo dependency keys
Probably need some examples to include in the plugin for existing views anyway…
Returning to SP
Fleshing out token consumer endpoint, successfully tested a dump of session data returned from hub
Realized my logic to evaluate compatible bindings/decoders overlaps heavily with 5.1.4 servlet request validator addition, propose we add implementations of that to enforce method and content type and move the SP to leverage it
Tom
Other