Shibboleth Developer's Meeting, 2025-12-05

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2025-12-19. Any reason to deviate from this?

60 to 90 minute call window.

This week's call will use the Zoom system at GU, see ZoomGU for access info.

https://shibboleth.atlassian.net/browse/JOIDC-264
- Do we have a pattern for this kind of cases? Is * ok?
OpenID Federation
- The public 60d review has started: voting in February
- Recent developments:
  - Customizable entity configuration contents
    - Wired to profile configuration: OIDFED.Configuration p:optionalClaimsLookupStrategies=”..”
      - Current example: https://codeberg.org/Shibboleth/java-idp-plugin-oidc-op-oidfed/src/branch/main/idp-oidfed-op-impl/src/test/resources/net/shibboleth/idp/module/conf/oidfed/oidfed-entity-configuration-claims.xml
      - Mostly due to handy reloading via shibboleth.RelyingPartyResolverService
  - The spec is now clear on how entity statement claims should be verified (entity configuration vs subordinate statements)
    - Some claims are validated by the metadata cache’s validation filter (via claims validators) ..
    - .. but some claims are verified later in the process (e.g. during trust mark resolution)
    - Mostly caused by the fact that code relies on Nimbus EntityStatement parsing - we probably want more control
  - All the metadata caches should also cache non-successful responses
    - Some already do: resolve entity, trust mark, trust mark status
    - Some not: entity configurations and subordinate statements

https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/4629659652 is done, to a first approximation.
Just in time for multiple DDoS of their service.
#infra in Slack now monitors their Mastodon status account (a thing they now have).
Still want to look into protecting maint- branches using some kind of automation.

No progress worth reporting. Continuing to chip away at removing unneeded RPMs in the in thebuildes.r image

https://shibboleth.atlassian.net/browse/JCOMOIDC-139
- Profile configuration work in a oidc-common dev branch.
OIDC SP (https://shibboleth.atlassian.net/browse/JSHIBDOIDC-2 )
- Add attribute resolution to the extraction of OIDC claims for the agent
- Almost finished attribute transcoding and filtering for the extract step
  - Attribute filter context metadata r is SAML only?esolver
  - The Output DDF is taking shape
- Adding access token and refresh token to the session data returned in the output DDF.
  - Now sealed after discussion with Scott.
  - Will add that as a DDF structure
- Improve flow tests
- Back to re-enabling the disabled security checks, and looking to create my own local Agent.

Moved house, still drowning in boxes and chasing recalcitrant tradesmen. Probably not going to make the meeting
Starting to swap WiX so as to build a (potentially minimal) installers for the Windows SP agent.
Believe that I am done for the Jetty plugin 1.0.0 release.

Jetty plugin testing
Reviewing Spring 7 issues
- Logging I think is clear, we have to stop excluding commons-logging 3 as it supposedly autodetects SLF4J
- Annotations will be an “us” problem but shouldn’t affect deployment
https://shibboleth.atlassian.net/browse/CPPSP-37
- Mostly built, some cleanup and unit testing to finish.
Setting up a testbed in AWS initially for the SP, eventually will include IdP
- Vehicle for live testing of “everything” at once to flag plugin conflicts
- Eventual load testing of SP
- Identifying lots of expected “alpha” issues with Agent before calling that done
SP bug report - memcache again, the library is clearly non-viable and is destablizing on invalid keys, but it’s a member report so we will attempt a “poor” fix

Need to deploy java-idp-testbed built against Spring Framework 6 to run the integration tests against IdP 5.1