Notes: idpy developers call 8 January 2018
Heather, Scott, Christos, Ivan, Roland, Johan
0. Agenda bash
Heather will send out a new invitation with updated BlueJeans
information later today.
1. Project review
- Satosa (Satosa PRs - https://github.com/IdentityPython/SATOSA)
Not a lot happened over the holidays. Ivan was working on items related
to eduTEAMS (common internal representations for back and front ends).
He also fixed some tests; we can now use the latest pytest.
Ivan archived the Satosa microservices repository; will move the issues
to the main Satosa repository. We will split out the microservices into
their own repositories (one for each microservice). This will allow for
a package per microservice, each with its own dependency. Ivan will send
email how core API should work with the microservices.
Ivan will go ahead and cut a release now that the microservices are set,
and then will work on the PR related to eduTEAMS. One PR in particular
relating to a discovery service; not quite sure what to do about this one.
Roland would still like to see an OIDC front and back end. That is on
the list; Ivan will reach out to Roland when that work is started.
Christos asks, regarding the consent service, do we know who is using it
and are there alternatives? When we discussed this in the past, there
weren’t many users of this service. The only ones actually using it were
SURFnet; they proposed to make a fork and maintain what they need. Main
repository has been abandoned. It would be good to find out if anyone
else is using it. eduTEAMS uses this for an information sharing service
since they base their access on Legitimate Interest, not a consent
- pySAML2 (https://github.com/IdentityPython/pysaml2)
A new pySAML2 will be coming out soon; this is related to a security
issue - see https://github.com/IdentityPython/pysaml2/issues/578
The issue is with how XMLsec does not check its data. When an error is
encountered with XMLsec, we need to add an exception in how that’s
handled. Ivan has made a few changes and created a test that shows some
errors we were missing when XMLsec threw an error.
Ivan has not pushed a final fix yet, but there are instructions on how
to work around this. Will push a small fix for now, and then we’ll
consider further changes to the code.
Johan has read the analysis and agrees this isn’t exploitable; that it
isn’t exploitable is only by luck.
Issue 579 relates to something reported out of eduTEAMS. This relates to
yet another issue - hw we define the digest and signing algorithm we
use. We need to make the default signing algorithm something other than
SHA1 and make that a choice in configuration.
- pyFF (https://github.com/IdentityPython/pyFF)
Leif is still working on refactoring the code. Need to get an update
from him out to the list.
How much will this refactoring change how the code is deployed today?
How will is relate to Satosa? The architecture is changing
significantly, but from the perspective of Satosa, nothing changes.
There will be an MDQ service available to get the metadata, and from a
discovery standpoint there will be a backend responding to requests and
you can run whatever front end you want (there will be a default
- Governance docs (https://github.com/IdentityPython/Governance)
Board is meeting tomorrow; we hope to make more progress on deciding
about whether a CLA is required and the IPR home.
2. TIIME planning
Note that Ivan will arrive about 11:30am (meeting officially starts at
Current attendees: Ivan, Johan, Scott. Christos is tentative.