Shibboleth Developer's Meeting, 2025-11-07

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2025-11-21. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Jetty announcement

2. Please review any IdP 5.2.0 backlog

3. SP POST preservation – denial of service mitigations?

4. Board update

Attendees:

Brent

• https://shibboleth.atlassian.net/browse/JSATTR-6

  • A review of some base class behavior (fail-fast, error options, etc) and minor items pending

  • Otherwise mostly down to just testing and tweaking

• https://shibboleth.atlassian.net/browse/OSJ-434

  • Review shows that (I think) reporter’s observations are correct and we have (at least) 2 obvious errors

  • Easy fixes, but how much do we want to go to “support” Java modules?

Daniel

Henri

• First iteration of API vs IMPL division for the current fed-plugin code

  • Hard to avoid fed-impl being dependent on OP-impl

• Explicit registration improvements

  • Now works better with remote trust chain resolution

  • Trust Chain + Trust Mark data is stored to the client information record

    • Can then be exploited during the OAuth2/OIDC sequences

  • Improved flow tests (e.g. content-type and JWT type headers are now up to date)

• Log fine-tuning according to feedback from the eduGAIN pilot deployers

  • Some are not straight-forward (e.g. warnings from metadata cache)

Ian

• https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/4629659652 :

  • testing was deleted.

  • Seems to be working: “I completely forgot we switched the SP plugins” (Scott).

  • Exception: commits pushed to Codeberg and mirrored to git.shibboleth.net are not being mailed to the commits@ mailing list. I don’t know why and it’s hard to debug. I have tried a couple of tweaks to the mailer without success. How much does this matter?

    • Some progress with this, maybe.

  • Are we at the point where this isn’t an experiment any more?

  • Next steps other than that declaration? (Next repos to formally move):

    • xmlsectool (Ian)

    • java-idp-translations (translators are special cased)

    • Things we’ve worked on in the last couple of weeks, per the current mirroring script:

      • cpp-sp, java-identity-provider, java-idp-plugin-oidc-op-oidfed, java-plugin-webauthn, java-oidc-common, java-parent-project

      • More disruptive, but that can be seen as a good thing as it’s going to flush out any issues.

    • Things that are current but haven’t been worked on in the last couple of weeks:

      • Somewhat disruptive, but not much feedback available.

    • Things that are not current (e.g., java-support)

      • Not disruptive at all, but correspondingly low benefit. Need to be done eventually.

      • Could even set these on Codeberg as not belonging to any teams, preserving the “locked” behaviour some of them have in Gitolite already.

      • I’d be tempted to save effort by not setting up Codeberg to git.shibboleth.net mirroring for these, make them static, and ultimately remove them from our server.

John

• https://shibboleth.atlassian.net/browse/CPPSP-26

  • SP4 alpha 1 is building on all supported platforms.

  • Currently: linting/scrubbing SPEC file

  • Next: remove unneeded built-time packages from builder images

  • Later: smoke test installs including SxS w/SP3

Marvin

Phil

• WebAuthn:

  • 2 bug fixes, done.

  • 1 feature request, need to think about it

• OIDC RP:

  • TokenConsumer flow now performing back-channel Token requests

    • And failing, I will move my Mock server over from the RP-Proxy for testing

    • Next would be to plugin in the id_token validation logic

    • Then, UserInfo lookup and back out as a response.

  • Trying to figure out how best to manage state, and what needs to be saved off.

Rod

• Playing with SP4 hub and agents (IIS and Apache on Windows).

• It's brain bending juggling 4 different machine (Hub, IdP, and 2 agents) but it all just works.

  • But it has been a chance to use the jetty plugin for real (in two different places)

• All my issues have been PEBKAC or in my code.

• Next up WiX (and much procrastination)

• Jetty-base plugin

  • Being tweaked.

  • I did many of the the changes proposed 3 weeks ago including separate base, IdP and SP modules

• 5.2 backlog

  • Will try to get IDP-2378 at least partially completed. The rest can be closed, pushed out or punted to the jetty plugin

  • Potential new work item (to auto-set IDP_BASE_URL) outlined in JJETTY-24

Scott

• SP documentation ongoing, getting into the meat of the Hub, which is much harder to document due to Spring, etc.

  • Inheritance material is incomprehensible but had to park for now

• Ported up rest of legacy access control features form V3

  • Had to hack in some kind of ISO 8601 parsing to the best I could manage, stuck to UTC for full time stamps, which was a change from V3

  • Sacrificed compatibility with the more complex legacy cases to consolidate the old messy syntax into a single “schema” and “XML” plugin type for all the supported rules

• https://shibboleth.atlassian.net/browse/JSHIBD-16

  • Fully indirected the basic auth “username” from the underlying Agents in the Hub to support N:1 service account/agent relationship

  • Adjusted how agent ID is handled in Agent by moving it to a [remoting] setting, emptying out [global] section

  • Continued fixes to defaults based on Rod’s testing

• Remaining major work items per blog:

  • Alternative Session Cache options, including the one we may end up using later as a default.

  • Cleaning up and finalizing some of the error handling features in the Agent

  • Audit logging in the Hub

  • OIDC support (probably absent the Federation support initially)

  • Logout – I’d like to at least get a local logout feature working for alpha

  • Documentation, documentation, and documentation

Tom

• Jenkins and Java maintenance

• Working on testing Jetty and SP plugins

Other