After standing still for a while a lot of things are starting to happen
in pyFF world.
I have merged a major PR (from myself) introducing python3 compatibility
to pyFF. This is in large part thanks to the work that @lundberg and
others did over the last few weeks to fix pyXMLSecurity.
At the same time I have removed all version pins and the preferred build
environment is now python3. I have updated the docker repo at
github.com/SUNET/docker-pyff to reflect this. Please refer to this repo
for current instructions on how to build and deploy pyFF (hint: its a
lot simpler than it used to be).
Over the next couple of days/week I will focus on excising the discovery
code into the github.com/TheIdentitySelector/thiss-js.git repo and also
merging https://github.com/IdentityPython/pyFF/pull/159 which contains
the future "REST-like" API for pyFF.
My apologies because I think I have asked this before...
Is this a true statement?
Today with the head of the master branch for SATOSA one cannot mix
protocols and have an OIDC backend and a SAML2 frontend to create an
OIDC-to-SAML gateway using SATOSA.
I will be offline between Friday 18/1 and Tuesday 22/1. On Tuesday is
our regular bi-weekly call. I am not 100% sure that I can make it on
time. Would you like to have this call or should we reschedule?
Ivan c00kiemon5ter Kanakarakis >:3
Today I finshed an OIDC/SAML broker based on Satosa that I needed to patch for
 but also for not hashing the OIDC sub. It turned out the OIDC RP expected
the sub to map to pre-provisioned users, known by their SAML ePPN.
I even suspect it expected  but in absence of a configured claim in id_token
resorted to using the available sub.
The (hardcoded) fix is easy: just configure sub public and return value in
internal_data.py UserIdHasher::hash_data. Would there be any interrest in a PR
to make this an option in oidc frontend conf?
Then, I have two outstanding questions for IdPy. One is a formal answer to the
problem outlined in  and the second is . We would really appreciate an
answer to both questions.
Today I noticed a very strange behaviour of SATOSA SAML backend and was
curious if anyone on the list could shed a light on my findings?
For SURFnet's SecureID (2factor auth) service an SP needs to send a signed
authnRequest on the Redirect binding of the SSO endpoint. The only setting I
could find for SATOSA backend conf was
This, however generates an enveloped signed xml messages that is dropped on
the Redirect endpoint, which is against the SAML standards, which explicitly
mandates the signature element to be removed and a URL request parameter
Signature to be added to the request:
220.127.116.11 DEFLATE Encoding
1. Any signature on the SAML protocol message, including the <ds:Signature>
XML element itself, MUST be removed
4. The signature value MUST be [...] included as a query string parameter
Did I miss something in the config to enable this behaviour or is pysaml2
blatantly ignoring the standard?
Martin van Es
Heather, Scott, Christos, Ivan, Roland, Johan
0. Agenda bash
Heather will send out a new invitation with updated BlueJeans
information later today.
1. Project review
- Satosa (Satosa PRs - https://github.com/IdentityPython/SATOSA)
Not a lot happened over the holidays. Ivan was working on items related
to eduTEAMS (common internal representations for back and front ends).
He also fixed some tests; we can now use the latest pytest.
Ivan archived the Satosa microservices repository; will move the issues
to the main Satosa repository. We will split out the microservices into
their own repositories (one for each microservice). This will allow for
a package per microservice, each with its own dependency. Ivan will send
email how core API should work with the microservices.
Ivan will go ahead and cut a release now that the microservices are set,
and then will work on the PR related to eduTEAMS. One PR in particular
relating to a discovery service; not quite sure what to do about this one.
Roland would still like to see an OIDC front and back end. That is on
the list; Ivan will reach out to Roland when that work is started.
Christos asks, regarding the consent service, do we know who is using it
and are there alternatives? When we discussed this in the past, there
weren’t many users of this service. The only ones actually using it were
SURFnet; they proposed to make a fork and maintain what they need. Main
repository has been abandoned. It would be good to find out if anyone
else is using it. eduTEAMS uses this for an information sharing service
since they base their access on Legitimate Interest, not a consent
- pySAML2 (https://github.com/IdentityPython/pysaml2)
A new pySAML2 will be coming out soon; this is related to a security
issue - see https://github.com/IdentityPython/pysaml2/issues/578
The issue is with how XMLsec does not check its data. When an error is
encountered with XMLsec, we need to add an exception in how that’s
handled. Ivan has made a few changes and created a test that shows some
errors we were missing when XMLsec threw an error.
Ivan has not pushed a final fix yet, but there are instructions on how
to work around this. Will push a small fix for now, and then we’ll
consider further changes to the code.
Johan has read the analysis and agrees this isn’t exploitable; that it
isn’t exploitable is only by luck.
Issue 579 relates to something reported out of eduTEAMS. This relates to
yet another issue - hw we define the digest and signing algorithm we
use. We need to make the default signing algorithm something other than
SHA1 and make that a choice in configuration.
- pyFF (https://github.com/IdentityPython/pyFF)
Leif is still working on refactoring the code. Need to get an update
from him out to the list.
How much will this refactoring change how the code is deployed today?
How will is relate to Satosa? The architecture is changing
significantly, but from the perspective of Satosa, nothing changes.
There will be an MDQ service available to get the metadata, and from a
discovery standpoint there will be a backend responding to requests and
you can run whatever front end you want (there will be a default
- Governance docs (https://github.com/IdentityPython/Governance)
Board is meeting tomorrow; we hope to make more progress on deciding
about whether a CLA is required and the IPR home.
2. TIIME planning
Note that Ivan will arrive about 11:30am (meeting officially starts at
Current attendees: Ivan, Johan, Scott. Christos is tentative.