2025-05-02
Shibboleth Developer's Meeting, 2025-05-02
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2025-05-16. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
Hosting code for GEANT-funded VC plugin from Janne?
Attendees:
Brent
JSATTR-6: SAML AttributeQuery DataConnectorOpen
Some work since last time, going slowly
Out for almost all of June, so have a self-imposed deadline to get done by end of May.
Daniel
Henri
JOIDC-222: Support for OpenID FederationIn Progress
Initial implementation for delegated trust mark validation
Interop event earlier this week
Many success cases with RPs and OIDF conformance suite Alpha
Some fairly minor issues
Request object validation - the fed draft has some additional requirements to OIDC that were not covered
Explicit registration response contents - I had wrong wiring to issuer and subject claims
Our requirement for an optional metadata claim (response_types)
Unsurprisingly some issues in metadata policy enforcement
Connect2Id provides test vectors: Metadata policy test vectors for OpenID Federation 1.0
Our metadata policy implementation is against the draft 17 (September/2021)
Merging was working surprisingly well
Enforcement rules are clearly different between the draft versions
The current implementation is in oidc-commons are used in dynamic registration and for unregistered clients
Decided to extend that in OP-impl for now to be compatible with the current draft
Later consider either combining these or keeping them separate (e.g. MetadataPolicy vs FederationMetadataPolicy)
Ian
John
Mostly swamped by other projects, not to mention <gestures weakly at all the things>, so not much to report
Re-testing the problem with kernel
4.18.0-553.50.1.el8_10.x86_64that bricks Rocky and RHEL EC2 instances with a later kernelResults from
us-east-2after upgrading to kernel RPMs4.18.0-553.51.1.el8_10.x86_64:Rocky 8 boots successfully
RHEL 8 boots successfully
Marvin
Phil
Interop event with Henri.
JOIDCRP-73: Aliased decoded IdPAttributes are lost during subsequent useClosed
Followed Rod and Scott’s lead, inlined the merging code from shib-attribute-api, and fixed the RP
JDUO-92: Update duo_universal_java to version 1.2.0Closed
Will need to updated to 1.3.1 as they have now updated their pinned CA bundle. Which we also need to do in the Nimbus plugin:JDUO-93: Update CA bundle for Nimbus variantClosed
Looking to release Duo next week once I’ve updated to their latest SDK and CA bundle.
Might release WebAuthn next week with two UI features (edit nickname, format last used time improvements) as Shannon is putting something together and needs those.
Rod
Attribute Filter cases including long standing bug in
IdPAttributeEnforcer is now Java17
Moving back to WinHttp and PEM files.
Do we need/want to talk about EDS-96: Support ignoring diacritics while searchingOpen
Scott
IDP-2375: Aliased decoded IdPAttributes are lost during subsequent useResolved
SAML proxy case was adjusted to merge values across duplicate IDs before passing off to encoding step
Completed initial removal of old Attribute APIs from SP agent to prep for session cache redesign
May add some kind of simple Attribute API back to simplify other code, but nothing for the moment
Added new AttributeConfiguration interface/impl to agent to relocate attribute export behavioral settings and code
New attributes.ini file to handle header mapping rules and the misc settings
With headers disabled becomes optional, if using default settings and hub-directed names
Goal is minimize/eliminate extra config for those using simple and best practice approaches
Starting on reimplementation of cookie handling in agent
Tom
still working on tests IDP-2323: Exception in flow, when consent goes to the databaseOpen
Other