Attendees: Johan L, Shayna, Ivan, Mikael, Matthew, Enrique, Hannah, Alex
0 - Agenda bash
1 - Project review
a. General
- Discuss whether we should move some of Roland's project repos (which
have been moved under Sunet) to be under IdPy:
- SUNET/openid4v - ??
- SUNET/satosa-idpy - frontend - becomes part of SATOSA
- SUNET/satosa-openid4vci - extension to proxy - becomes MR under
SATOSA
- SUNET/fedservice - under idpy
- SUNET/idpy-sdjwt - under idpy
- Need time to understand - should probably slack Roland about
what changes they are introducing
- Also there is a document that explains the process for adopting the
code under IdPy which Ivan was going to share.
b. OIDC libraries - https://github.com/IdentityPython (idpy-oidc,
JWTConnect-Python-CryptoJWT, etc)
- New MR(s) with Nikos introducing changes around resource indicators/
audience policies. The internal fork is also being synced with the
upstream.
c. Satosa - https://github.com/IdentityPython/SATOSA
- trying to get to release for LDAP plugin changes
d. pySAML2 - https://github.com/IdentityPython/pysaml2
- Want to make sure latest releases will work together (both Satosa and
pySAML2)
- trying to get to release for typing changes for the entity
categories
e. Any other project (pyFF, djangosaml2, pyMDOC-CBOR, etc)
- Enrique mentioned in issue in pyFF, where entities in different
federations have the same entity id. One possibility is that it
may be the
same entity registered to different federations, but also it could be two
different entities in different federations but they have the same entity
id. Enrique has the use case in Seamless Access, where entities are
registered in two different federations, in different entity
categories. He
needs to be able to merge certain entity attributes in this case.
- The issue and Enrique's notes on it can be found here:
https://github.com/IdentityPython/pyFF/issues/289
- The way things are now, the entity in the first federation would
be overwritten by the one in the second federation.
- We may want to merge different entity categories, which may
differ from one federation to another.
- For filtering in mdq, we would need the attributes, which could
have different values in different federations, to be merged.
- Enrique's PR was merged to allow select pipe to be able to
produce a list of entities with duplicates. But the
overwriting happens
before the select pipe - it happens in the load pipe - all
the entities
from all the sources are squashed into one dictionary, keyed
by entity id.
- One idea would be to keep the entities keyed not only by entity
id but also by metadata service in the load pipe, but there
is some concern
that this could introduce problems. When the user requests an
entity id,
how would we know which one to choose? Could this be handled
in the MDQ
service? Would the rest of the attributes give a fairly good
heuristic to
distinguish between those cases? The select pipe can default
to doing it
the way things currently work - overwriting the first with
the second - or
use a heuristic downstream to either merge the duplicated
entities or keep
them separate since they are different. Mikael warns that we
need to be
careful not to change the default heuristic - otherwise we
might break all
federations. A new heuristic would need to be approved for
each aggregator.
We need to better define what happens when we get conflicts
so someone will
be notified, instead of just getting the last loaded. We will need a
feature flag so we don't break deployments.
- Ivan wants to establish if this a current problem, or if we are
trying to think ahead to a potential problem, especially in
the case where
the entity ids are the same in two different federations but
the actual
entities are different. We should document that we make the
assumption that
there will not be different entities in different federations
that will
have the same entity id. However, If they are the same entity but in
different federations, there is an issue with the entity
exposing different
things in each federation.
- Merging multi-value attributes: What if there is an entity with
an entity category in InCommon (say, "hide from discovery")
that is not
available when that same entity is in eduGain? If we merge
them, something
that was not intentional would happen. Need to examine these
things more
thoughtfully before doing merging - some are based on policy.
- PyFF - Microsoft EntraID causes a problem with hash marks in
entity ids. pyFF doesn't support getting it by url, only by sha1sum. pyFF
refuses to load a file when hash marks appear in it.
- pyMDOC-CBOR
- will create an MR around a request for an improvement
2 - AOB
- Welcome to Alex - he has been working with Ivan looking at the
proxy/Satosam, focusing on projects under GÉANT CoreAII (formerly
eduteams). He has a lot of experience with different languages and
libraries, and has a lot of ideas on how we can approach things and
structure things better.
- Need to create a list of questions generated from Matthew's efforts to
write his own IdP / test SP, then work through a few of them at a time
weekly.
Enrique Pérez Arnaud has asked me to draw attention to notes he added to a
pyFF gihub issue, regarding duplicate entity ids in pyFF in different
federations. The notes can be found here:
https://github.com/IdentityPython/pyFF/issues/289#
I will also add this link to the discussion of this issue in the IdPy
developers meeting yesterday. The notes from that meeting will be out later
today.
Thank you,
Shayna Atkinson
SCG
