09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2025-12-05. Any reason to deviate from this?

60 to 90 minute call window.

This week's call will use the Zoom system at GU, see ZoomGU for access info.

1. Noting code audit by French govt

2. Jetty plugin – blockers?

3. Moving IdP main to Spring 7 – blockers?

• Need to leave early today at about 11:00 Eastern for doctor’s appt.

• https://shibboleth.atlassian.net/browse/OSJ-434

  • Fixed the obvious mistakes that were (I think) causing the reporter’s errors. Will wait to hear back.

• https://shibboleth.atlassian.net/browse/JSATTR-6

  • Working on unit tests.

• OpenID Federation -work

  • Trust Mark Status endpoint support - configuration TBD (probably via profile configurations)

  • New draft released yesterday

    • Working group last call announced: https://lists.openid.net/pipermail/openid-specs-ab/2025-November/011104.html

• https://shibboleth.atlassian.net/browse/JOIDC-226

  • Spring CORS Configuration handles both the preflight and the actual requests (containing Origin-header)

    • The currently existing hook (shibboleth.CorsConfigurations) is a static list - the p:allowedOrigins doesn’t scale

      • Dynamic hook shibboleth.CorsConfigurationsSource in IdP 5.2 via IDP-2338

      • The preflight request contains the Origin-header, but not client_id - most of the metadata resolvers can be queried without entity ID criterion, but not all (e.g. local dynamic)

    • The simplest approach is to provide plugin-specific CORS Configuration -documentation, containing the required manual steps

      • The (plugin) flows can perform more fine-grained Origin-header validation after metadata resolution

    • Perhaps another option would be to provide e.g. auto-wiring hooks for the dynamic shibboleth.CorsConfigurationsSourcein IdP

• https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/4629659652 is mostly done now:

  • All public working repositories are now canonically hosted on Codeberg and mirrored back to git.shibboleth.net.

  • Inactive repositories are now locked and are no longer mirrored.

  • I added a script (fixremote) to the migration page to make it a little easier to convert your local workspaces. Here’s a copy:

  • Exceptions: personal repositories, gitolite-config, infra-pgpkeys, java-idp-plugin-mgmt.

  • The mail to committers seems to be working again but we don’t know why. If that persists, I will retire the other mechanism.

  • One disruption between the two mail streams seems to come from signed commits. In general I don’t see the point in signed commits in general (they break if you need to rebase or cherry-pick) but specifically any push containing a signed commit does not appear in Codeberg’s activity feed. This is probably a bug, but for the moment I suggest not using this Git feature with our repositories, with the possible exception of infra-gpgkeys. I think this only affects Tom, and only in the last couple of days, but by definition it’s hard for me to tell.

  • There’s an API we can use to do any further per-repository configuration instead of doing everything manually.

  • Next steps: migrate the two repositories with hooks.

No updates.

• Minor RP-Proxy and WebAuthn work

• OIDC SP Work:

  • Token exchange is working, signature verification and decryption is wired up.

    • Some of the validators have been disabled until I go back to looking at what gets carried in the state

  • UserInfo profile claims lookup is working. Similar to token exchange wr.t. to the security checks currently enabled

  • Extracting claims and filtering is in place; need to add the attribute resolver

  • The response is added back to the DDF ready to be transferred back to the agent

    • Only the basics atm. No extract session data yet.

  • Will make sure the verification and validation is all working next.

• Nothing. Life is getting in the way. Like to continue through the new year

• Jetty plugin: shaping up nice. Thanks to Scott and Steven

• SP. I would like to start poking at Wix6 next week (I am envisioning the simplest possible, GUI free, install at least for Alpha)

• Jetty plugin testing and docs for Linux, though I tested with a Mac

  • Pending objections, we will default to 8080/8443 on 127.0.0.1 only

• SP documentation

  • Hub material complex but coming along, mostly through the intermediate material, no real reference work done yet, or much on security config (i.e. keys)

  • Don’t think it’s a good idea to duplicate most of the existing IdP material where services are reused, but it would eventually be an opportunity to revisit a lot of that for better approachability from both perspectives

  • “Maybe” good enough for an alpha at this point? Not easy for me to assess.

• https://shibboleth.atlassian.net/browse/CPPSP-37

• Major concerns that could disrupt plans

  • Load testing the file session cache and the WinHTTP remoting

    • Suspect default session cache will end up being remoted to Hub StorageService anyway until/unless a cookie option is viable/implemented, so don’t know how much I care about the filesystem working

    • WinHTTP fallback is not Curl because that would mean building, linking, maintaining libcurl, openssl, zlib, which is out of the question

• https://shibboleth.atlassian.net/browse/IDP-2409