2013-03-08

Owned by Scott Cantor
Last updated: Mar 08, 2013
5 min read

Shibboleth Developer's Meeting, March 8, 2013

Attendees: Scott, Ian, Rod, Brent, Daniel, Paul Hethmon

I2MM?

Most of the usuals not attending, but the Board is still planning a meeting there, so Scott has to attend. Tom's planning to go to IIW, and Ian/Rod not expecting to come, so suggest we use the time we had reserved for Brent, Scott, and possibly Daniel to do some code review on the OpenSAML work that's left, maybe brainstorm out the message context trees if there's work left on them.

They scheduled the Board meeting opposite one of our blocks. The latest (this was after the call) was a suggestion to have developer time on Sunday 12-3pm and Monday 8am-12pm. The Board meeting would be Sunday 3-6pm.

Future Call Scheduling

Scott will create a doodle poll to see if there's a better standing call time for everybody. Suggest, per Tom, that we use the time more regularly if only for brief touch-base calls, and assume we'll use the time unless we cancel.

xmlsectool

Ian indicated the main issues to be addressed are done, a bit of minor work left. Main thing is to wait for the 2.4 release so the libraries are released.

We discussed the state of Elliptic Curve support. Scott was confused and during the call was thinking we used vt-crypt in V2 for key processing. This is not the case, but we asked Daniel to check into getting a snapshot of it available, which can be tested with V3 for EC support. Meanwhile, after the call we verified that V2 was using the not-yet-commons-ssl library and we don't have support there for reading EC keys from files. Scott suggested Ian could test EC crypto support by using a keystore as the key source. Scott would like to try to get EC tested in a basic way because it would be nice to have working support in the "final" V2 code release to future proof things.

Some discussion on the call and after about moving some algorithm mapping logic out of xmlsectool and the MDA into V3 at a later point. Also suggested moving from Santuario algorithm constants to our own.

IdP 2.4

Most of the feature work has been done, some testing left. Discussions ongoing about the contributed adaptive login page. Going to yank the Shibboleth logo and links and mentions of Shibboleth itself (like references to JIRA!) then circle back for another review.

Should we replace the current default login.jsp with the adaptive one? Agreement to go ahead and switch to the adaptive one (with the original renamed).

Scott made some additions to the taglibs, Rod will review.

The OpenSAML Velocity templates have been enhanced by Unicon to allow injection of content into the head and body sections using the classpath. By default the injected templates are empty. Scott checked this in with unit test updates after the call.

Other features added this week: the uApprove filter plugin based on AttributeConsumingService, and an option to bypass ACS checks for signed requests.

Two significant OpenSAML issues:

  • Host name verifier for https, Brent looking into this. Doesn't think it will be too bad. Will take Daniel's feedback about the JNDI case into account.
  • Use of NodeList for node iteration. Scott will start working on that.

Shooting for last week of March release.

Scott completed porting the library changes on the V2 branch to V3. From now on, port anything added to V2 or open an issue to track it explicitly.

A handful of openws changes need to be looked at, they seem to be in the area of the HttpResource implementation, the HTTP client, and the caching, backup, and file reloading behavior in V2. Scott thinks we're going to have to look into all that for V3 because the separation of duty between the resource abstraction and things like the metadata providers is very tricky.

SP 2.5.2

Microsoft's patches can't be applied to an updated installer that incorporates the previous patch, because the installer's package GUID changes. Rather than fix some library issues with a patch, we will do a 2.5.2 update, and know to avoid updating installers after the fact.

No schedule on this, Scott wants to prioritize V3 tasks. Probably looking at Summer.

Summary of February meeting outcomes

Scott has made our notes from Columbus public with actions/decisions/open issues. All attendees please review and act appropriately.

Scott suggests morphing the page into a living document tracking broader issues we need resolution or work on, things that don't fit well into Jira.

Discussion of Webflow and session persistence

Brent has done a bit more research, but no conclusions and some slightly heightened concern based on Marvin's feedback. Definitely need to look into this, but it's not critical path for Q1.

AACLI Deliverable

Daniel indicates the LDAP connector is done, apart from configuration.

The RDBMS connector needs more work. Scott or Daniel can take this, will discuss with Tom.

Configuration work underway based on last night’s checkins from Tom.

Daniel had an issue to raise with connector validation and what its scope should be. Concerns that more than just simple connection success may be important. He noted LDAP has a “validation filter” – if that is present, it's used and if not it just connects. We've had a similar feature in the past with the JDBC case but mainly through validation queries used in pooling data sources. Need to review this to see if it's supported more generally.

Should we do more? In scope to consider doing something, but not a priority. Scott suggests adding a Jira task for some kind of validation interface people could plug into to do more or less validation. Scott is strongly against fail fast behavior in production systems, and would like the ability to avoid that without having to install dummy connectors using the failover feature.

Rod to wait for Tom’s input, but inclined to move on to completing the attribute filter predicates.

What about scriptlet (and Velocity) support environment? Rod to capture such thoughts as he has into the JIRA case.

Connection Information

Time: 16:30 UTC

Meeting ID: 534-352-638

Web URL: https://www3.gotomeeting.com/join/534352638

Dial-in Phone Numbers
Australia: +61 2 8355 1040
Austria: +43 (0) 7 2088 1400
Belgium: +32 (0) 92 98 0592
Canada: +1 (416) 900-1165
Denmark: +45 (0) 69 91 88 62
Finland: +358 (0) 942 41 5778
France: +33 (0) 182 880 456
Germany: +49 (0) 811 8899 6975
Ireland: +353 (0) 14 845 976
Italy: +39 0 247 92 12 39
Netherlands: +31 (0) 208 080 379
New Zealand: +64 (0) 4 974 7215
Norway: +47 21 03 58 96
Spain: +34 911 82 9782
Sweden: +46 (0) 313 613 558
Switzerland: +41 (0) 225 3314 51
United Kingdom: +44 (0) 203 535 0621
United States: +1 (786) 358-5410