Work on IdP V4 is generally on track, but we're still probably 4-8 weeks from final scoping depending on what it looks like we can finish before meeting our intended scheduling goals.
Some API changes are continuing throughout the code base, most recently a large physical change with relatively little actual impact, removing a lot of generic type parameters from the API that weren't being used effectively and that made it difficult to fix a lot of compile-time warnings in the code. This will have some nominal impact on third party extensions, but nothing very extensive.
We have a tentative strategy for adding more formal CSRF prevention features to the next version, subject to more testing.
An "almost complete" work item is a redesign of the password validation code to support chaining of both JAAS and non-JAAS authentication options. We get asked a lot about how to support multiple LDAP directories at the same time, and we now have an alternative approach for that (and more general cases) that should reduce or eliminate the need for deployers to be copying or mucking with the Password login flow. Building custom validators will also be possible with simpler, more self-contained Java code that doesn't depend on Spring and doesn't require adhering to the odd interface that JAAS modules impose.
Substantial progress has been made moving CI builds to AWS.
CentOS 8 is still a work in progress, but assuming it emerges in September/October we will need to spend some time on SP backlog in preparation for a new release to coincide with doing that packaging work, particularly given that there might be a bug or two to fix to get that packaging done.