It's been a busy month for the project primarily to get the expected beta release of the Identity Provider V4.0 done. Testing to this point has not been extensive, but the early returns from within the team have been positive and the final release is expected by early March at the latest. Upgrades should be very easy for the majority of deployers.

The lifecycle of support for V3 is essentially a foregone conclusion at this point because Spring 4 is end-of-life at the end of 2020. We don't have any compelling reason to abandon security support for V3 any sooner than that, so V3 will be supported through the remainder of this calendar year.

I undertook a mini-project to blitz a port of the OIDC extension and we are on track to produce a compatible extension along with the IdP release. After a short discussion, we agreed to forego significant breaking changes to this code for now and leave things largely as they have been for this release.

For clarity, since this is a period of transition:

In parallel with the beta effort, work has begun on the next SP update, V3.1. This feature upgrade is primarily focused on addressing XSRF in two areas:

The SameSite work is complete and will explicitly designate a subset of SP cookies as SameSite=None, with an optional setting to add a second non-SameSite cookie to support broken browsers for hopefully a temporary period of time. It will also be optionally possible to support cross-site use of SP sessions, when XSRF is a "feature" and not a bug.

The correlation work is underway, but is being carefully implemented to maintain compatibility so it will be an optional feature for security conscious deployers to turn on.

There are a few other odds and ends to complete for the SP release, but we're moving aggressively to complete that work as soon as possible so it's quite likely March will see both IdP and SP releases.

We have a significant queue of work items for the IdP once V4 ships, primarily authentication-related, so the roadmap should be getting cleaned up and clarified once we can take stock of things.