Shibboleth Developer's Meeting, 2019-07-19
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2019-08-02. Any reason to deviate from this?
60 to 90 minute call window.
This week's call will use the ZoomGU for access info.system at GU, see
Add items for discussion here
- (Phil) Around for the first 45 mins. Can discuss Anti-CSRF implementations if there is time (CSRF Mitigation Options)
- CI status / open issues
- SameSite status
- - IDP-1450Getting issue details... STATUS
- Out last nearly 2 weeks for conference and PTO.
IDP-1461Getting issue details...
- Velocity 1.7 branch functionally complete; 2.1 just needs fixing up 1 more class.
- Still pending:
- a handful of missing unit tests
- SLF4J conversion
- style adjustments for Velocity conventions (tabs → spaces, etc).
- decision on whether to try to support Velocity 1.7 with another branch/artifact
- On vacation, unable to attend the call today
- Updated the Wiki page regarding OIDC RP as EntityDescriptor: OAuth2/OIDC metadata and OIDC Claims
- The plan is to use EntityDescriptor (client_id is entityID), UIInfo (for instance client_name is UIInfo/DisplayName) and custom role descriptor. The table of claim/XML-element relationships and the initial draft of the XML schema can be found from the page.
- The implementation still in progress: extended SAMLPeerEntityContext and SAMLMetadataContext are exploited by the actions.
- In addition to view and form based CSRF protection, looked at a simple AccessControl mechanism for the RESTful admin endpoints: API Key Access Control
- Work on web site "emulation" and drop down menu, see Contact the Shibboleth Project
- Jira upgrade
- Note emails are slightly different to allow for batching of update notifications
- Documenting attribute registry - AttributeRegistryConfiguration
- Still making adjustments to configuration e.g. map to propset, slightly simpler XML
IDP-1474Getting issue details...
- Relearned how schema lookup works in Spring, documented that a bit for posterity in V4 Spring design page
- All multi- tests
- How to update Java
- Probably will be stormy/unstable for awhile