Shibboleth-SP 3.0.4 update

[Cantor, Scott]

> OpenSAML 3.0.1 does not seem to bring important changes, so I'd leave it
> alone if you agree.

The goal of those changes was to reach a state in which any ERROR in the log requires a necessary operational response.

> The SP patches are a mixed bunch, though.  The boost::bind() changes are
> familiar and theoretically important, as I understand.  The _shibpost cookie
> limit sounds somewhat niche, though, and if it "randomly breaks in tabbed
> situations", them I'm hesitant to push it.

The point of that comment was just noting that as with the other cookie bounding rules, they assume some sort of temporal order that isn't actually real. That's not a new thing, the other cookie guards behave the same way. In practice 12 tabs at once is not exactly likely. But the fix is kind of major in that it actually breaks clients when you hit loops in a way that's more or less unrecoverable without deleting cookies. Data shouldn't grow boundlessly, is the point.

> The copy of the <SSO> attributes is
> handy...  Is it something one can work around by speeling out the individual
> SessionInitiators?

Yes.

> I don't get the part about the MessageEncoders.

The broken settings are the ones that are applied to classes in OpenSAML, which is principally the messaging classes. Most settings are SP related and those get picked up without the workaround.

> Finally, the exception handling -- I guess the documentation allows for these exceptions,
> and you can't rule out them actually happening, so you'd better handle them, right?

If you were going to not ship an update to the SP otherwise, you can defend not applying them. If you were going to, they're mandatory, they'll prevent DOS crashes that haven't been identified yet. And they're low risk, obviously.

-- Scott