Notes: idpy developers call, 9 March 2021
by hlflanagan@sphericalcowgroup.com
Attendees:
Ivan, Giuseppe, Heather, Hannah Sebuliba, John P, Roland
Regrets:
Scott
0 - Agenda bash
1 - Governance policy updates
• Joseph has transferred the djangosaml2 to the GitHub repository page
• idpy Board meeting next Thursday
2 - GitHub review
b. Satosa - https://github.com/IdentityPython/SATOSA
Merged a few things, but nothing major. We have a new person contributing to the code based, contributing new microservices and working with the OIDC backend.
• https://github.com/IdentityPython/SATOSA/pull/355 - feat: add support for the Scoping element and RequesterID in SAML2 backend
Question re: does SATOSA have support for SLO on the roadmap? Not right now, though Ivan recognizes we need to look at this. See also https://github.com/IdentityPython/SATOSA/issues/211. There are different types and methods to initiate logout, but it all comes down to a best-effort activity for the user.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Ivan has been looking at the PRs for both pySAML2 and Satosa and have merged some.
• https://github.com/IdentityPython/pysaml2/pull/757 - Handle all types of ACS endpoint specifications
• https://github.com/IdentityPython/pysaml2/pull/779 - Raise SAMLError on failure to parse a metadata file
• https://github.com/IdentityPython/pysaml2/pull/763 - Invalid Destination URL Exception Handling
• https://github.com/IdentityPython/pysaml2/pull/766 - InvalidAssertion Exception
• https://github.com/IdentityPython/pysaml2/pull/772 - Response with unvalued AudienceRestriction (Condition) Handling
• https://github.com/IdentityPython/pysaml2/pull/762 - Minor bug fix to metadata function in example IdP
Changes still under discussion:
• https://github.com/IdentityPython/pysaml2/pull/778 - [Strengthen Encryption] PySAML2 Encrypted Assertions now works with Shibboleth SP 3 - note that we will not be using RSA, but instead using RSA OAEP as generally recommended. Switching to RSA OAEP is a breaking change.
The main thing we need to work on more are the encryption pieces. More work needs to be done around signing, and how we configure metadata and internal processing about which algorithms we accept. This is close to being wrapped up, and then Ivan will focus on how to encrypt the payloads. Right now we depend on xmlsec1, writing files, etc. Given our recent security issues were a result of how xmlsec1 behaves, this whole set of functionality must change. We have all the pieces we need to do this ourselves, without relying on a library like xmlsec1. We can focus purely on something that meets the need and requirements of SAML.
eIDAS requires specific algorithms be supported, and those algorithms are not supported by xmlsec1. This is another issue for us. This will be a new security backend for pySAML2, and xmlsec1 will be kept as an option.
What about pyXMLsecurity (https://github.com/IdentityPython/pyXMLSecurity)? This is a side project. It was initially planned to be used by pySAML2 but it was never extended to include all the operations expected. It support signing and verification, but there is no encryption/decryption support, and even the signing needs more work. The code is messy. Some of Ivan's new ideas, though, will be taken from here (e.g., low level processes). We don't know if this code is being used by anyone in production.
d. pyFF - https://github.com/IdentityPython/pyFF
No update
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Roland is waiting for Nikos to sign off on the OIDC endpoint. When Nikos signs off, the project will start using that new code and Roland will need to update the documentation.
The OIDF has raised the fee for doing certification. They continue to discuss whether open source implementations should be able to go through certification, the challenge being how to define "open source". OIDF is willing to waive the fee for Identity Python. Roland will not try to certify for FAPI (Finance) unless we hear of a financial institution that uses our code that would require it.
The OIDC Federation spec is an implementer's draft right now. Roland is working with Mike Jones to edit some pieces, but it is largely stable. Hoping to get the vote kicked off to bring it up to a standard level soon (next month or so).
3 - AOB
Reminder: Daylight Saving Time clock skew about to start. Our next call will be March 23 @ 13:00 UTC.
Thanks! Heather