Shibboleth Developer's Meeting, 2026-04-17

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2026-05-01 (public holiday in mainland Europe). Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. IdP patch schedule

2. (RDW) https://shibboleth.atlassian.net/browse/JJETTY-37 : we can make this work, but do we want to?

3. I18N cleanup

   1. Status of OIDC claim rules and other plugin messages

   2. Eliminating the separate translations project.

4. Actions arising from repository outage

5. Create a new java-oidfed-common plugin

6. Commit Emails

Attendees:

Brent

Daniel

Henri

• OpenID Federation

  • Support for signed_jwks_uri in the client/RP metadata

    • https://shibboleth.atlassian.net/browse/JCOMOIDC-161

      • PRC passed via CriteriaSet (ProfileRequestContextCriterion in opensaml-profile-api)

  • Client authentication now supported in our resolve-entity flow

    • Exploits the OP’s already existing authn/OAuth2Client flow

    • Default configuration is to require private_key_jwt method (signed with federation entity key)

      • Other methods may be supported via profile and authentication flow configurations

  • WIP: client authentication to the federation endpoints

    • Some refactoring needed to the endpoint-specific metadata cache fetching strategies

  • Next up:

    • (Automated) Trust anchor key rotation - ideally with input from the pilot

    • Move and generalise the common parts of the code into oidfed-common

Ian

John

• Finally found time to get an Agent wired up to the testbed Hub. Will move onto session cache load testing.

Marvin

Phil

• Initial discussion with Henri and Scott on adding OpenID Federation support to the OIDC SP

  • https://shibboleth.atlassian.net/browse/JSHIBDOIDC-16

  • See Henri’s agenda item on the oidfed-common plugin

• OIDC config patch to stop requiring oidc-credentials.xml for simple, but common, deployments of the RP-Proxy

• State handling in OIDC

  • https://shibboleth.atlassian.net/browse/JSHIBDOIDC-5

  • Thanks to Scott for reviewing my current OIDC formulation, improving it, and then starting to implement the necessary enhancements.

• OIDC-SP cleanups and testing

  • Fixing the form_post response mode decoder

• Started adding some content to the OIDC SP reference docs

  • Not much yet.

  • Some plagiarism from the SAML pages, which I feel bad about, but some of the introductions and content are similar.

Rod

• https://shibboleth.atlassian.net/browse/EDS-98

  • What do we need to do to accept the PR?

• https://shibboleth.atlassian.net/browse/CPPSP-53

  • Tedious, but making progress

Scott

• Server madness this week

• SP patch to refresh OpenSSL

  • Note 4.0 is now final. We need to look at a refresh to a newer LTS version and hope we don’t need to change a lot, looks like V3.5 is what we need.

• First cut of SP SAML reference docs

• First implementation of SP-initiated logout and the SAML LogoutRequest subflow

  • Agent changes committed but not tested, and not in the alpha obviously

  • I’d rather complete the other half of the logout impl before updating the alpha

• Started on a redesign with Phil of SP request state mgmt in the Hub with a single design for SAML and OpenID along with some additional new features

  • Eliminates “extra” cookies for tracking resource URLs separately from request correlation data for CSRF protection

Tom

• getting closer with updated integration tests for the Jetty plugin

Other