Shibboleth Developer's Meeting, 2026-03-20

Call Administrivia

09:00 Central US / 10:00 Eastern US / 14:00 UK / 16:00 FI (hour earlier for UK/FI)

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2026-04-03. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. SP Agent installer

Attendees:

Brent

Daniel

Henri

• OpenID Federation

  • Support for client-provided trust chains in automatic registration

    • Request object header may contain trust_chain value

    • Initial automatic registration profile configuration options how record is decorated into the claims set

      • Default: array of entity IDs of the trust chain

      • Default for provided trust chains: flag signaling that the client information was stored (similarly to dynamic/explicit registration)

  • Support for publishing OP’s keyset as a signed JWT (signed_jwks_uri)

    • Exploits similar caching as entity configuration flow

  • WIP:

    • Support signed_jwks_uri in RP metadata

      • This requires new features from oidc-commons → dependency to the latest snapshot

  • Next up probably:

    • Authentication to the federation endpoints (client/server)

Ian

• MDA 1.0.0 is out. Still some tidying of the release, and probably then some tweaks to documentation.

John

• Working on connecting test agents to Hub

Marvin

Phil

• Added protocol logging support to OIDC decoders that were missing it.

  • https://shibboleth.atlassian.net/browse/JCOMOIDC-158

  • https://shibboleth.atlassian.net/browse/JCOMOIDC-160

• I did not add the POST data preservation support to the OIDC-SP. I will add that in.

  • https://shibboleth.atlassian.net/browse/JSHIBDOIDC-15

• I’m now trying to finish off my cleanup of the way authentication state is stored between request and context

  • Changing from the cookie approach to the more flexible state manager approach

• Janne also asked me a question which was similar to Scott’s idea of metadata overrides by overlay (https://shibboleth.atlassian.net/browse/JCOMOIDC-159 ). So will have a think.

• Possible next OIDC-SP steps:

  • Exposing a keyset endpoint

  • Testing all the various response modes and options with the cert suite and or OP

  • Refresh tokens--more complex

  • PAR, DPoP support etc.

  • Fed support (above refresh token priority)

Rod

• Jetty plugin windows bug

• Deployed against the AWS hub trivially

• WiX is dead, long live bat!

Scott

• Nothing much, finishing up at OSU taking most of my time.

• https://shibboleth.atlassian.net/browse/JSATTR-47

• https://shibboleth.atlassian.net/browse/IDP-2444

  • Has me stumped

Tom

• nada

Other