Shibboleth Developer's Meeting, 2026-02-06

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2026-02-20. Any reason to deviate from this?

60 to 90 minute call window.

This week's call will use the Zoom system at GU, see ZoomGU for access info.

Release post-mortem
1. Waiting on real bug reports to see if the c14n changes are sound or not.
SP Alpha
1. Need some due diligence to figure out release strategy for plugins, but plan is for last week of Feb.
OIDFed schedule
1. Getting some feedback but without RPs we don’t have a good idea of when things might be mature enough to release and it isn’t obvious there’s a ton of need to force anything, will keep as a standing agenda item.
Board update

New scripted release process
- Overall went well, no issues
- Need to update the java-parent-project/bin/build-and-deploy-javadoc.sh to accept a NOPROMPT env var so doesn’t prompt on console if the previous step completed successfully
- Brent needs to get release-support repo checked in and pull-request to Ian’s Docker container project for changes.
  - Outstanding question for latter is how the release-support project code is included in the container. For convenience right now during dev I’m just doing a bind mount to my local working copy, but there are other options which may be better (clone in Dockerfile; clone on container start; even full RPM).

OP OpenID Federation plugin
- Improved trust chain resolution logic
  - Now deals “broken” authority hints
- Refactored metadata policy constraints feature
  - Previous logic was “ok/fail” - not satisfactory for the updated allowed_entity_types
- Support “critical” claims in statements:
  - ‘metadata_policy_crit’: the policy operators marked as critical must be mapped in the list of operators
  - ‘crit’: the spec mandates these to be “recognized and processed”
    - Custom filter functions may be wired for each metadata cache
- Updated explicit registration to exploit metadata caches for all validations
  - Enables reuse of same validation code with other the resolver caches
TIIME unconference next week (Wednesday-Thursday)
- OIDFed workshop on Friday after the main event

https://shibboleth.atlassian.net/browse/CPPSP-26
- SxS installs of SP3 + SP4: essentially sorted
- Working through when to restart httpd.service or not on install, upgrade/downgrade, removal
Expected EoLs for “SP Alpha” agenda item
- AL2: 2026-06-30
- RHEL7 ELS: 2029-05-31
- Current Ansible on a control node is no longer compatible with latest Python available on this generation of EL, for example.

https://shibboleth.atlassian.net/browse/JSHIBDOIDC-11
- Went back over the metadata handling in the RP. This is working now, thanks to the updates Scott made.
https://shibboleth.atlassian.net/browse/JSHIBDOIDC-8
- ACR validation logic can now be toggled in the Hub.
  - Although currently it treats them all as essential, even if they were requested as voluntary.
    - Maybe the remoting input for OIDC needs to capture that (currently use authnContextClassRef like SAML)
- Trying to work through TODO cleanups on the OIDC-SP
- Next, will look to change the CookieManager approach for storing state tokens to the StateTokenManager.

Windows installers
- SP agent complete for alpha release and documented
- Jetty 12.1.6 up in maven wait for someone to want it/announce it.
- Wait for more testing from JISC

Mailman issues
Some Jenkins cleanup
SP documemtation
Reviewing settings and status of some minor features
https://shibboleth.atlassian.net/browse/JSHIBD-7
- Think this was the last significant (maybe any) SAML dependency in the shibd plugin
Sketching out plan for logout development
SP service release to update OpenSSL