Shibboleth Developer's Meeting, 2025-09-19

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2025-10-03. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Codeberg, but we can cover via Ian’s update

2. VC/wallet grant proposal participation

Attendees:

Brent

• Work on streamlining and potentially automating IdP release process

  • The process is mostly fleshed out. Can do a full automated tag and build on the desktop container.

  • Other scripts for Git review, publishing and Javadocs are done, but the latter 2 untested b/c don’t really have a way to “test” a release.

  • Some minor work and issues remain as far as a nightly automated release build, etc. E.g. the signing question, sending email, etc.

Daniel

Henri

• The latest OP snapshot now contains initial versions of the extension hooks needed for the fed-plugin

  • Jira tickets JOIDC-252 .. 258

  • Will add documentation of auto-wirings (similar to IdP) once wirings are finalized

• The current state of the fed-plugin is now populated into the java-idp-plugin-oidc-op-oidfed repo

  • Tom is helping with the Jenkins jobs

  • Instructions updated at https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/4500914216

  • API vs impl structure not yet done

  • Currently finalizing the OP client-side for resolve entity API

Ian

• https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/4629659652:

  • Mirroring from git.shibboleth.net seems stable.

  • Please tell me about new repositories.

  • Experiment mirroring from Codeberg also worked.

  • Obvious next step might be to ask people on the dev@ list to use it as their source (but not shut down GitWeb yet).

  • Might also be worth flipping one mirror: MDA maybe?

  • Feature gaps and general impressions?

  • Open question 1: what about CI:

    • CI directly to Codeberg might get throttled; we don’t know. We can try and see what happens.

    • One option would be to leave CI pointed at the current location and reverse the mirroring. Developers (internal and external) would use Codeberg; Jenkins would remain pointed at what would amount to a local cache.

    • I think we could still disable GitWeb under this arrangement; Jenkins uses /git while GitWeb is served on /view ?

• MDA 1.0.0: I think work is complete, question is when to release to minimise Spring Framework and other dependency churn. Thoughts?

• Java 25 is now GA. We need to integrate that release into our Jenkins matrix tests, but then I plan to do the due diligence to allow us to add it to the supported list for the Java 17 platform in https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/1161266638/Product+Platforms?atlOrigin=eyJpIjoiZTU4ZDA1NzhmNWY2NDg0ZWFjZjY4NjJlY2U0YTEzMGMiLCJwIjoiYyJ9 . I don’t foresee any real issues here.

John

• https://shibboleth.atlassian.net/browse/SSPCPP-1017

• https://shibboleth.atlassian.net/browse/SSPCPP-1015

  • This requires rebuilding the builder images because they contain a local.repo that needs to point to where the metadata is.

• https://shibboleth.atlassian.net/browse/SSPCPP-968

  • Working on a feature branch for now

Marvin

Phil

• Working on session initiation in the SP for OIDC

  • Understanding what comes from where, Agent v Hub

  • Refactoring RP proxy classes to apply to both the RP-Full and the RP-Proxy using strategies

    • Coordination effort eventually required to put this into oidc-common

    • Also, coordination needed to decide on oidc-config usage (profiles I copied over to the RP-Full for now)

  • Looking into the policy control features (disallow features etc), and prompt=none can be handled.

Rod

• Not going to be there. My apologies to the meeting.

• Jetty-Plugin

  • No outstanding work for me (ATM). In particular it now logs “Out of the bxx” (by taking a copy of the current IdP’s logback jars)

  • Windows lightly tested.

  • Looking for more Linux testing (and I know there is more stuff to come in the Linux side)

• EDS

  • JISC would like a release

  • I reverted a submitted patch because it failed accessibility testing.

  • I don’t have the capability to crank a release. If the team decides to do a release can someone volunteer?

• SP

  • Going to start on IIS testing RSN

Scott

• Added two SP plugins to nightly and javadoc jobs, still need to add to multis.

• Completed initial re-development of SP session cache to allow versioned sessions to support mutation for two main cases: multiple address family bindings and “OAuth” (broadly speaking, all the potential refresh insanity in that layer).

  • Address case works well multi-process as any attempt to populate a missing family hits the back-end and will notice if another process already filled one in.

  • OAuth cases will work less well due to processes having older copies of the data, but because the cookie is updated when a version is bumped, a process should “quickly” notice that it needs to read the newer version in.

  • (Very) light testing done.

• Some testing done to ensure OOB localhost behavior working as intended.

• Started fleshing out attribute behavior and getting that documented for alpha.

• Neither critical for alpha, but the big ticket items left are audit logging in the hub and the error handling in the agent.

Tom

• Working on :

  • Jetty Plugin tests

  • bumping Maven plugin versions

  • Nexus migration

Other