Shibboleth Developers

["Howard Gilbert" <>]

> 1) Quick status review -- java target (if Howard is on the call)

I will be on the call, but the status deserves to be written. I will keep it
short so people actually read it.

The major milestones in the last week were coding AAP and finishing
ShibBinding. With these pieces, the code should be able to form the
attribute query, send the SAML request, get the response, apply Trust to
validate signatures, reject items that should be signed but are not, then
apply AAP to remove values and items that the AAP rules do not accept. The
remaining Attribute Assertions are stored in the Session object with the
original Authentication Assertion.

I have now coded every interface except Revocations. [Revocations Chapter 5
Verse 7: "And I beheld a certificate. Its name was "CN=Legion", and its
serial number was 666."]

A sharp eye will note that a few checks were skipped over and now need to be
filled back in. Expiration dates need to be checked and the replay cache
needs to be added back in.

Information logging messages have to be added, or an alternative strategy
for debugging proposed. Now that there is an overall complete code
framework, I can look to add a more comprehensive error recovery (catch)
strategy. Ideally, unit tests would be added to match the error tests and
the logging statements [this is all part of the same pass].

I am iteratively refining the test environment: Eclipse, Ant, Tomcat, a
combined Origin and Target, certificates, metadata, configuration files. I
had hoped to have it running by the phone call, but underestimated the
number of dumb little problems that have to be found and fixed.

I am now to the point where I need to answer the questions I swept under the
rug. What exactly is the "audience" collection? When exactly should a
request for an unknown applicationId return an error instead of "default"?
...