2025-06-06
Shibboleth Developer's Meeting, 2025-06-06
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. The June 20th call is most likely going to be cancelled, and we may cancel the July 4th call as well due to availability.
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at OSU, see Shibboleth Developer call 2025-06-06 for details.
AGENDA
Board updates
Attendees:
Brent
Absent
Daniel
Henri
JOIDC-222: Support for OpenID FederationIn Progress
Initial implementation for federation policy constraints
Customizable map of beans implementing the
FederationPolicyConstraint-interfaceBouncyCastle used for entity naming constraints: can be replaced with another implementation if needed
New spec draft released this week
Minor upgrade coming up to the OIDC-stack
JWT authentication improvements, OIDC.SSO.MDDriven to oidc-config
Release planned for the week starting on 16th
Very good chance for funding to work on Verifiable Credentials after summer
Mostly away on July, but following tickets and email
Ian
Absent
John
Unable to attend today
Smoke tested SP on RHEL 10 GA EC2 instances (RPMs install cleanly, shibd runs from systemd)
No new EC2-brick-inducing Rocky/RHEL kernels as of 05/31
Trying to regain some traction on SSPCPP-993: Archive cpp-linbuild builder images in AWS ECRIn Progress
Rocky 9.6 is out including Docker images
Marvin
Phil
Bit slow, some vacation.
Looking at the new profile config options for audience and client authentication JWTs, with Henri.
That should now be in place for the RP, needs some testing and certification, ready for release.
JWEBAUTHN-55: Trigger for notification when a webauthn credential is added/removed from an accountOpen Finalising a WebAuthn notification method for registration events. Mostly Add and Delete keys, but there could be others.
Is pretty explicit right now, inject hooks into the correct actions. But easy to add a function.
Maybe this should be improved in the future (Per Scott’s comment about listeners).
Is this worth doing? JCOMOIDC-131: Change name of plugin modules to include versionClosed
Future:
Looking at PAR for the RP in a branch
A better way to handle WebAuthn policies based on various factors about the authentication.
Rod
Declaring the WinHttpRemoting service (new SP/Windows) done for now
With a side benefit that I now know how to snoop on TLS traffic from a suitably doctored Jetty
Next up (subject to agreement)
Going to take a side swipe into EDS for a consortium member
Then start writing a Jetty plugin V2 design document
Scott
SP SessionCache hell
Absolutely going with immutable sessions…if we ultimately support things like OAuth refresh tokens and such, that will need to result in “replacement” of a session to change the information. I don’t see that being a major issue.
Timeouts are the devil.
High level componentry/logic mostly seems sound, but I think can be better optmized when disabling timeouts to avoid a lot of chatter to maintain timestamps even at less frequent intervals.
Have a draft file system implementation with some holes, but some larger problems I suspect would make it unworkable under load, just not sure. Mainly concerned about file locking issues, particularly on shared file systems, but I don’t have experience in this area.
NOT concerned about security risks due to third party file system access….
Alternative SessionCache SPIs:
Remote requests against Java StorageService (gives us memcache and JDBC OOB)
Chunking across cookies with the data encrypted via remote requests to Java DataSealer
I guess this works, I’m always paranoid about the overhead of so many remote calls, obviously would be nice with a hub locally
Admin logout a challenge here, requiring shared storage to track revoked sessions
Tom
Progress on IDP-2323: Exception in flow, when consent goes to the databaseOpen
simple test for pruning records looks good
Other