Attendees:
Giuseppe, Ivan, Matthew, Heather, Johan, Hannah, John
Regrets:
Scott
Notes:
1 - Status of architecture documentation
No update; focus is on finding a memory leak.
Will be expanding on the internal data representations, and how the microservices are applied to data representations, and how they get back to the external protocol.
2 - Potential new project for idpy
a. https://github.com/knaperek/djangosaml2
Giuseppe has invited Joseph, the maintainer, to these calls to see about bringing in djangosaml2 under the idpy umbrella.
As a reminder, here are the instructions for adding a project to idpy:
https://github.com/IdentityPython/IdentityPython.github.io/wiki/Adding-and-…
Heather will follow up with the Board in September re: the new project.
3 - GitHub review
Ivan is spending most of his time right now hunting down a memory leak. Other coding is delayed. See Satosa update.
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Status of pkce? OIDC endpoint has support for pkce (a better type of implicit flow). Ivan will be following up on that; sounds interesting.
https://github.com/IdentityPython/oidcendpoint/blob/master/src/oidcendpoint…
Question about whether this generates JWK? We do have scripts that can generate the keys:
https://github.com/IdentityPython/JWTConnect-Python-CryptoJWT/tree/develop/…
You can specify what the key will be used for via the ‘use’ parameter. We currently do not specify that, but might be useful to have. Then it will be easier to generate and use those keys.
b. Satosa - https://github.com/IdentityPython/SATOSA
When running Satosa, a host with 1GB of RAM, after about 3-4 days of processing requests, the memory usage has increased. It’s a slow leak in newer versions of Satosa. It may not even be Satosa itself, but one of the libraries (e.g., OpenSSL library, libxml). If you are restarting Satosa regularly, or don’t have a lot of traffic, this may not be a major impact to you.
Using https://docs.python.org/3/library/tracemalloc.html to help hunt down the source of the leak.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Name format work: https://github.com/IdentityPython/pysaml2/issues/601. PySAML2 assumes the name format value is a URI format. This is a bug on the consumption side. When we parse an attribute element and we don’t find a name format attribute, we should indicate that it is unspecified. When we produce an attribute element, then we have an object and we initialize it with the name format, the name of the attribute, and the value of the attribute. If we don’t specify the name format, then the default is a URI format. We may shift to indicating everything is unspecified unless specified as a URI format.
d. pyFF - https://github.com/IdentityPython/pyFF
4 - AOB
Ivan will be on vacation and miss the next call (August 18); we will cancel that call. Next call is 1 September 2020
Thanks! Heather
Attendees:
Ivan, Giuseppe, Scott, Heather, John
Regrets:
Roland, Matthew
1 - Status of architecture documentation
Ivan wrote up a page on middleware: https://github.com/IdentityPython/SATOSA/wiki/Middlewares
Will be adding more on the usage of of middleware, enabling and disabling them.
Question raised if ASGI is something we want to consider in place of or in addition to WSGI. ASGI is generally a good thing. If performance was critical, this might be of interest where we’re worried about reading/writing to disk, timing, and encryption. Mostly, we don’t need the asynchronicity so the cost in terms of refactoring the code is not worth it.
2 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Giuseppe and Roland have been working through new feature requests (e.g., a configuration validator) which might also be of interest for pySAML2. See https://github.com/IdentityPython/oidcendpoint/issues/70. Many ways to implement this, suggest including the documentation in the validator. This could be a schema. Ivan suggests looking at https://pydantic-docs.helpmanual.io/
b. Satosa - https://github.com/IdentityPython/SATOSA
Added the middleware documentation to the wiki space (see above).
Fixed the metadata generation for the virtual frontend.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
New release is out, which includes changes from Johan needed for the eIDAS proxy node. Mostly changes in the aggregate maps. Some fixes in the docs. New general config option for creating entity attributes that we don’t have specific configurations for. Allows us to set the friendly name attribute and values. See https://github.com/IdentityPython/pysaml2/commit/e5d0b4f0760144430d885165d4…
NameID format config has been changed, and how we handle the NameID format policy. This was a breaking change. See https://github.com/IdentityPython/pysaml2/commit/0c1873da1f280d4921b9c9b3da…
Working on changing the default algorithms. We do need to decide what we want the new defaults to be (currently SHA1). Changing the defaults will be considered a breaking change. Still need to work through how this will be configured. SHA1 is hardcoded in some places. We need better defaults for signing and digesting pieces of XML documents. Given what we do (we are not in a high performance environment) the slight performance hit of SHA512 over SHA256 may not be significant. When issuing responses with poor vendor implementations of SPs, we have to consider whether they can handle the more complex algorithms. We will go with SHA512 as our choice, but need to be clear on documenting how to change the default and consider how to set this as a per-SP choice.
We use a cert to check the types, and whether some things are verified. This is not ideal; certs are stripped out when python code is compiled. Will replace the certs with exception raises, making the type of exception reasonable.
d. pyFF - https://github.com/IdentityPython/pyFF
3 - AOB
Backend initiated responses
Scott has a modification to the SAML front end to support unsolicited flows, so that you can have a URL and specify all the details you want for the flow. This has been useful in COmanage when, after a registration flow, there is enough information to send the user to a specific SP based on their enrollment. If anyone else needs this kind thing, please contact Scott.
Typehints - Should we be using these? Yes, where they make sense. If we can have actually schemas that can verify input/output, and within the system we can then rely on the data that has been verified, that would be good. Typehints should be set where the API is defined.
Should we consider incorporating Django SAML into idpy? Giuseppe will reach out to the Django SAML team and see if they are interest, and then send a message to the idpy-discuss list for feedback.
Thanks! Heather
Attendees:
Giuseppe, Heather, Ivan, John P, Hannah, Christos
Regrets:
Scott
Note:
0 - Agenda bash
1 - Status of architecture documentation
All this started around the idea of middleware; these will be a configurable set of things. Ivan continues to develop his ideas on this, has not yet started writing these down.
Will also be creating an identifier for any request that comes in; that will allow us to mark requests as unsolicited as needed, and change how we process it.
Microservices look like middlewares, just not at the network level.
Alternatively, may start developing something called interceptors instead of middlewares; Ivan still investigating the possibilities.
Look to the wiki space in Satosa GitHub for upcoming documentation. May also be creating diagrams (using https://plantuml.com/) that will explain at least part of the flow.
We still need better basic documentation to get people started; problem is Satosa is so complicated, it’s hard to put together good documentation.
In terms of diagrams, Ivan is also looking at:
- https://www.websequencediagrams.com/
- https://plantuml.com/
- https://app.diagrams.net/
- http://blockdiag.com/en/blockdiag/index.html
- https://www.lucidchart.com/
- https://www.gliffy.com/
- https://creately.com/
- https://miro.com/
One question about using signals to help automate the documentation, but that won’t work for Satosa, which doesn’t use a framework that would support that.
Note that Rainer created some graph diagrams for Satosa as well about a year ago ( https://github.com/IdentityPython/SATOSA/pull/263)
2 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
b. Satosa - https://github.com/IdentityPython/SATOSAhttps://github.com/IdentityPython/SATOSA/pull/322
People are bookmarking the discovery service as their initial landing page to a service, but that leaves the SAML backend confused as to which front end the discovery service belongs to in that scenario. Scott, Ivan, and Matthew have talked about whether the backend should have its own discovery flow. We would need to define a list of strategies on where to get the target service, and the backend would need to make that part of the context so the front end would know what to pick up and send back to the service. This is doable, but not trivial to code.
Could throw an error that lets the user know they need to start at whatever service they want to go to. Not sure this would work either, because the user may well not know the URL to the service URL. Alternatively, have a generic landing page that contains links to all the services and let them pick from there. This page would be created by the deployer, and not automatically generated by Satosa. Can be implemented in the same way that the unhandled exceptions will be handled.
Ivan will need to finish writing up and then implementing middleware, and then we can work on this issue.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Ivan has been looking at refactoring name_id_format (https://github.com/IdentityPython/pysaml2/issues/669)
Ivan has a patch, but it is a breaking change. New option is called name_id_policy_format. The policy format specifics what happens with an authN request is created, and the name_id_format options is only used to define what’s in the metadata. Name_id_format can have multiple values (the order of the values matter) while the name_id_policy_format only takes a single value which, if not specified, will not be set. The “none” string is now gone.
Ivan plans to do a non-breaking release first with some other changes, and then will introduce this breaking change.
Also looking at https://github.com/IdentityPython/pysaml2/pull/628 that will allow us to disable weak algorithms. This is a good initial step, but it’s not really enough. pySAML2 defines different algorithms that it knows how to work with, as does xmlsec. We currently ask xmlsec to give us that list, getting a different set depending on xmlsec version, and then we compare it to what pySAML2 knows how to handle. If we follow this pattern, we will need to update pySAML2 with the list of what it can handle. Alternatively, we can store a restricted last that will focus on what to disable, rather than what to support. The trick is that we need the proper namespace names out of xmlsec rather than the short names we get now. We also need to define proper defaults (right now, the default is SHA1). We should disallow md5.
Hopes to have something by the end of the week that will get us moving in the right direction by configuring the choice of algorithms.
d. pyFF - https://github.com/IdentityPython/pyFF
3 - AOB
Thanks! Heather
Hola a todos!
We’re canceling the call for tomorrow, Tuesday 9 June. Ivan is working on getting out new releases for Satosa and pySAML2. Keep an eye on the list and the slack channel for updates.
See you in two weeks!
Thanks! Heather
Attendees
Roland, Ivan, Heather, Johan, John, Scott, Christos
Notes:
1 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Libraries are progressing. Last time, we talked about the abstract storage interface. Working on getting the whole stack to use that. The goal being to start two OPs at the same time, sharing the data (and the workload). Roland has heard no comments on the design, and so is moving ahead. Ivan’s thoughts are that he might have chosen a simpler API himself, but overall this works.
After this, we can get into scopes per RP.
b. Satosa - https://github.com/IdentityPython/SATOSA
Still needs to work on writing down his thoughts on the overall architecture for idpy, as well as for the specific projects like Satosa.
Currently looking at working with the WSGI interface. When a network request comes in, before it gets to the apps, it must go through different middleware layers. The goal is to make this a first-class concept in Satosa, with a new config option about what tools will run those layers.
Logging: Looking to use the bind interface, so when we switch to stratlog, we will be compatible with that interface. The middleware will create or get the sessionID and that will be used throughout Satosa, and will bind it to the logger. We want to have a single logger or dictionary that will be added to the logger output every time the logger is invoked. That data needs to be available through the flow, and then needs to be cleaned when it leaves the proxy. That will be done through a middleware as well.
Scott offers a rough use case where there might be a need for a change in the format of the sessionID. It might be helpful if this can be reconfigured on the fly. If the middleware objects are exposed such that they can be accessed by other objects or components, that might be helpful. Ivan suggests always run the default one, and have code in the middleware (not the microservice) that says if certain conditions are met, to overwrite the sessionID. Ivan will consider this further.
Ivan is also looking at doing some more error handling, and redirecting to different pages. If we have the concept of middlwares, we can have the global handler that handles all the exceptions, fills up a WYSGI parameter, and then uses appropriate middleware to handle. This way, the user can decide how the error needs to be handled. This will improve the levels of flexibility for how the whole system behaves.
There are also some merge requests that Ivan still needs to look at.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Merged the fix for the ID attribute names (decrypt, encrypt, sign, or verify). This has been a merge request for a while. We can probably iterate on this idea some more, like how to find the node that holds all the signing or encryption information.
Also planning to accept the merge request on giving the namespace prefixes proper names. (https://github.com/IdentityPython/pysaml2/pull/625)
Ivan will be looking into refactoring how we select algorithms, and how we can select default ones. Right now, SHA-1 is hardcoded, after the next release.
Issue about the scopes on the attributes: this was filed on the Satosa repo, but it is probably a pySAML2 that will be doing this for Satosa. (https://github.com/IdentityPython/SATOSA/issues/297)
d. pyFF - https://github.com/IdentityPython/pyFF
n/a
2 - AOB
Note that work will be starting on the eIDAS front end code.
Thanks! Heather
Attendees
Roland, Scott, Giuseppe, Heather, Johan, Matthew, Hannah, Ivan, John P, Leif
Notes:
1 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Roland and Giuseppe started looking at abstract storage - a way to persist information that the OP/RP gather during their lifetime. Started a draft to describe this, and an implementation using SQL Alchemy. This changes the CryptoJWT API slightly. There is an abstract storage library now in GitHub, and Roland has a branch on CryptoJWT (abstorage) that uses what Giuseppe has.
See PoC: https://github.com/peppelinux/pyAbstractStorage
Ivan notes we probably want to avoid being tied into SQL Alchemy, but the design should allow for other possibilities (e.g., MongoDB)
Please review and submit issues or PRs.
b. Satosa - https://github.com/IdentityPython/SATOSA
Still working on the exception handling, designing a layered approach to how we handle errors. Instead of a single function, will try to propagate exceptions to other layers so they will handle them as they need.
Also doing work on the loggers and have a few things ready. Before he pushes, want to make sure we have a compatible path for the new library and dependencies. This is based on structlog.
Whenever the state of the proxy is saved in the cookie and when the user redirected to another service, we need to clean up the state of the cookie. We’re not near any limits wrt the cookie, but this will be a way to keep things clean.
One use case: stopping a SAML flow with Satosa, and then allow the user to go through an entirely different SAML flow that still uses the same Satosa instance, then put the user back into the original SAML flow. An example of this is a step-up flow. Ivan has some code that does this. The consent microservice also does this. The routing mechanism, though, needs to be rewritten. This will one of the bigger refactoring we need to look into.
https://github.com/IdentityPython/SATOSA/pull/322 - the flow that can start from the discovery service; this has been deferred for a while - is it ready to roll? Not yet; will review on next call
https://urlproxy.sunet.se/canit/urlproxy.php?_q=aHR0cHM6Ly9mdW5jdGlvbnRyYWN… - allows you to get info from a running service. Ivan is trying to make this work with Satosa; it was originally designed to run around an executable, not in a flow like ours.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Someone reported an issue where building rpms was not working. Given the age of these systems, we’re not going to try and fix this. Even if we wanted to support this, it is more properly an issue for the Python maintainers.
Another issue ( https://github.com/IdentityPython/pysaml2/issues/675) was about pylint errors - most of the issues were a result of not all libraries being installed.
On the list:
• https://github.com/IdentityPython/pysaml2/pull/662 - want to merge 662 (cleanup on the name of the id attribute used by xmlsec in order to encrypt/decrypt/sign XML documents, specifically SAML).
• https://github.com/IdentityPython/pysaml2/pull/665 - Also want to merge a fix for the tmp file creation. Python gives you a way to create tmp files, but this only works for UNIX systems. This needs to be refactored in order to support Windows.
d. pyFF - https://github.com/IdentityPython/pyFF
2 - AOB
FastFed - could the structure be useful to us? Maybe - the work started with a specific task to connect an OP with an SP. But this does not meet many of the needs of Higher Ed, and many in the higher ed sector have voted against it. The vote did pass, but they have asked for a representative of the group that voted against it to join and work with them on the spec. They had asked early on if they could use the OIDC federation work, and that would have covered many points but not the attribute mapping issues they also had.
The proxy should do attribute mapping better as well; that’s on the list.
