Shibboleth Developer's Meeting, 2026-05-01

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2026-05-15. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Jakarta mail decision

   1. Pull it

2. IdP patch status/schedule

   1. Second week of May targeted

3. Board update / SP webinar

4. Use of member list

Attendees:

Brent

Daniel

Henri

• Absent today, apologies

• OpenID Federation

  • Client authentication now supported to the federation endpoints (fetch, resolver, trust marks)

    • Extendable, initially supports the default private_key_jwt, signed with the federation entity keys

    • Wiring of security configurations (including signing credentials) was actually fairly tricky, as the metadata caches are currently global beans security configurations reside in the relying-party context

    • Another challenge is that the credentials for authentication are needed during the metadata resolution phase, i.e. before any profile configuration has been selected

      • Currently solved so that the metadata resolution process resolves unverified profile configuration for OIDFED.Configuration and exploits its security configuration - the profile is meant for entity configuration publishing, but “at least kind of makes sense” to be exploited for other signing purposes as well

  • WIP: Revisit trust mark validation configuration

    • I noticed that not all pieces are yet glued together: remote trust mark status verification cannot yet be easily configured

  • Next up:

    • Start moving the common parts into java-oidfed-common repository

Ian

• java-oidfed-common repository is available on Codeberg and on git.shibboleth.net (for Jenkins)

• https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/5112496132 documents adding a mirror to a new repository.

John

No updates

Marvin

Phil

• Working on the SP state management redesign with Scott.

  • Mostly complete and flow tested

  • Will run through the certification suite as a double check (probably Monday)

• WebAuthn metadata annoyances

Rod

• Windows Agent Installer

  • Managed to get a bat (sh) file installed windows agent to work against the hub

  • Just the “set the lock down ACLs left”.

  • Massively faster than msi (and scrutable by anyone)

Scott

• SP state management redesign (original work was bifurcated and incomplete/incoherent)

• JPAR-240: CVE-2025-7962: jakarta.mail@2.0.1ClosedPreview

  • Key verified but….

• IDP-2452: Startup logging for IdP seems to be absentClosedPreview

  • For now I pulled the file I added to fix a Tomcat logging issue.

Tom

• Some progress on integration tests

Other