- Idpy-discuss - lists3.sunet.se

by ivan.kanak＠gmail.com

Hello everyone, there has been a report on incident-response at idpy.org about a security issue in PySaml2. Alexey Sintsov and Yuri Goltsev from HERE Technologies reached out and reported a XML Signature Wrapping (XSW) vulnerability. The issue affects responses with signed assertions. PySaml2 can be tricked to think that an assertion had been signed and use the assertion information, when in reality the Signature points to another part of the xml document that is controlled by another party. The issue was assigned CVE-2020-5390 and is now fixed in the latest pysaml2 release. The relevant code commit that fixes is the issue: https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521… Release v5.0.0 contains more changes, including: - Add freshness period feature for MetaDataMDX - Fix ipv6 validation to accommodate for addresses with brackets - Fix xmlsec temporary files deletions - Add method to get supported algorithms from metadata - Add mdstore method to extract assurance certifications - Add mdstore method to extract contact_person data - Start dropping python2 support Pointers to the release with changelog and more information, below: - the relevant release commit: https://github.com/IdentityPython/pysaml2/commit/f27c7e7a7010f83380566a219f… - the github release: https://github.com/IdentityPython/pysaml2/releases/tag/v5.0.0 - the pypi package: https://pypi.org/project/pysaml2/5.0.0/ + + + + + + + + In more detail, regarding the XSW vulnerability: libxml2 follows the xmldsig-core specification. The xmldsig specification is way too general. saml-core reuses the xmldsig specification, but constrains it to use of specific facilities. The implementation of the SAML specification is responsible to enforce those constraints. libxml2/xmlsec1 are not aware of those constraints and thus process the document based on the full/general xmldsig rules. What is happening is the following: - xmldsig-core allows the signature-information and the data that was signed to be in different places. This works by setting the URI attribute of the Reference element. The URI attribute contains an optional identifier of the object being signed. (see "4.4.3 The Reference Element" -- https://www.w3.org/TR/xmldsig-core1/#sec-Reference) This identifier is actually a pointer that can be defined in many different ways; from XPath expressions that need to be executed(!), to a full URL that should be fetched(!) in order to recalculate the signature. - saml-core section "5.4 XML Signature Profile" defines constrains on the xmldsig-core facilities. It explicitly dictates that enveloped signatures are the only signatures allowed. This mean that: * Assertion/RequestType/ResponseType elements must have an ID attribute * signatures must have a single Reference element * the Reference element must have a URI attribute * the URI attribute contains an anchor * the anchor points to the enclosing element's ID attribute xmlsec1 does the right thing - it follows the reference URI pointer and validates the assertion. But, the pointer points to an assertion in another part of the document; not the assertion in which the signature is embedded/enveloped. SAML processing thinks that the signature is fine (that's what xmlsec1 said), and gets the assertion data from the assertion that contains the signature - but that assertion was never validated. The issue is that pysaml2 does not enforce the constrains on the signature validation facilities of xmldsig-core, that the saml-core spec defines. The solution is simple; all we need is to make sure that assertions with signatures (1) contain one reference element that (2) has a URI attribute (3) that is an anchor that (4) points to the assertion in which the signature is embedded. If those conditions are met then we're good, otherwise we should fail the verification. -- Ivan c00kiemon5ter Kanakarakis >:3

5 years, 5 months

1
0
0 0

Reminder: idpy dev off-week call, 14 January 2020

by hlflanagan＠sphericalcowgroup.com

Meeting URL https://bluejeans.com/672796580 <https://bluejeans.com/252755948> Meeting ID 672 796 580 Agenda: 0. Agenda bash 1. Administrivia a. Idpy Board nominations b. March 23 Hackathon/Workshop in Stockholm 2. OIDC Federation update a. Second Implementer’s Draft of OpenID Connect Federation Specification Approved <https://openid.net/2020/01/08/second-implementers-draft-of-openid-connect-f…> b. Repository status 3. GitHub review a. OIDC implementations: b. Satosa - https://github.com/IdentityPython/SATOSA <https://github.com/IdentityPython/SATOSA> c. pySAML2 - https://github.com/IdentityPython/pysaml2 <https://github.com/IdentityPython/pysaml2> d. pyFF - https://github.com/IdentityPython/pyFF <https://github.com/IdentityPython/pyFF> 4. AOB

5 years, 5 months

1
0
0 0

Nominations now open - idpy Board

by hlflanagan＠sphericalcowgroup.com

Hola a todos! As described in the Statues of IdentityPython [1], roughly half the seats for the idpy Board are opening for nominations. The following members have completed their one-year terms: Ivan Kanakarakis (current chair) Mike Jones Chris Whalen Roland Hedberg (at-large) They are all eligible to be nominated again for a new board term. The term for these seats is now shifting to a two-year cycle, such that half the board will be up for nomination each year. Participants on the idpy-dev list act as the nominating committee for the idpy board. If you would like to nominate someone (or self-nominate) please contact me directly no later than 24 January 2020. Thank you for your time and consideration, Heather Flanagan [1] Excerpt from the Statutes of IdentityPython (https://dracc.commonsconservancy.org/0024/ <https://dracc.commonsconservancy.org/0024/>) Board of Directors The central decision-making body within IdentityPython is the IdentityPython Board of Directors (in short: the IdentityPython Board). The IdentityPython Board is a committee responsible for making and coordinating decisions on behalf of the user and developer community around IdentityPython, according to the conditions set forth in these Statutes as well as any Regulations established by prior decisions of the IdentityPython Board. The IdentityPython Board is expected to consult and find consensus for decisions with the user and developer community. The IdentityPython Board has a minimum of three, and a maximum of seven natural persons. The founding IdentityPython Board has appointed a number of its constituting Directors to serve a half (12 month) term, and the remainder to serve a regular (24 month) term. Subsequent Directors are elected by the IdentityPython Board to regular 24-month terms according to the procedure set out in these Statutes. The founding Board will select a nominating committee of active developers and other contributors to identify candidates for ongoing Board membership. Directors are permitted to seek office for multiple terms, however, when running against other candidates the amount of terms they have consecutively served is deducted from the votes cast in their favour. This provides a balance between continuity, equal opportunities and renewal of qualities and competences. The IdentityPython Board determines the Programme's structure and processes, and is responsible for maintaining its Statutes and Regulations. The IdentityPython Board is free to make or revise any decision, taking into consideration applicable law as well as any immutable conditions previously established within the Statutes or Regulations. In order to efficiently fulfill its tasks, the Board may establish specialized committees and task forces, as well as assign named roles to qualified individuals to provide advice and assistance on specific issues. The associated qualifications, tasks and responsibilities SHALL be formalised by publication as part of the Regulations of IdentityPython. The IdentityPython Board (and any person, group or organisation mandated by the IdentityPython Board on its behalf) must act in good faith and in the common interest of the developer community and the wider user community of IdentityPython. If significant harm to the organization has been committed by any Director, he or she MAY be removed from the Board by a simple majority vote of the rest of the Board. The IdentityPython Board SHALL convene offline or online at least every twelve (12) months.

5 years, 5 months

1
0
0 0

How far along are we with the proposed hackathon before the EduGAIN Town Hall ?

by roland＠catalogix.se

It was mentioned in the notes from the idpy dev call, 17 December 2019. — Roland The higher up you go, the more mistakes you are allowed. Right at the top, if you make enough of them, it's considered to be your style. -Fred Astaire, dancer, actor, singer, musician, and choreographer (10 May 1899-1987)

5 years, 5 months

1
0
0 0

Invitation: idpy dev off-week call @ Tue Jan 14, 2020 6am - 7am (PST) (idpy-discuss@lists.sunet.se)

by hlflanagan＠sphericalcowgroup.com

You have been invited to the following event. Title: idpy dev off-week call Meeting URL https://bluejeans.com/672796580?src=join_info Meeting ID 672 796 580 Want to dial in from a phone? Dial one of the following numbers: +1.408.740.7256 (US (San Jose)) +1.408.317.9253 (US (Primary, San Jose)) (see all numbers - https://www.bluejeans.com/premium-numbers) Enter the meeting ID and passcode followed by # Connecting from a room system? Dial: bjn.vc or 199.48.152.152 and enter your meeting ID & passcode When: Tue Jan 14, 2020 6am – 7am Pacific Time - Los Angeles Where: https://bluejeans.com/672796580 Calendar: idpy-discuss at lists.sunet.se Who: * hlflanagan at sphericalcowgroup.com - creator * idpy-discuss at lists.sunet.se Event details: https://www.google.com/calendar/event?action=VIEW&eid=MnZ1Y2FuMHE2YmdsbHRvd… Invitation from Google Calendar: https://www.google.com/calendar/ You are receiving this courtesy email at the account idpy-discuss at lists.sunet.se because you are an attendee of this event. To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar. Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn more at https://support.google.com/calendar/answer/37135#forwarding

5 years, 5 months

1
0
0 0

Reminder: call cancelled for 7 January 2020

by hlflanagan＠sphericalcowgroup.com

Hola a todos! As a reminder, the idpy dev call is cancelled for 7 January 2020. We are pushing the call out one week; expect a SEPARATE calendar invitation for that call. Thanks, Heather

5 years, 5 months

1
0
0 0

uniAuth v1.0.0 release

by giuseppe.demarco＠unical.it

Hi everyone, I'm happy to announce the first official release of uniAuth (v1.0.0), a SAML2 IdP based on Django and pySAML2. https://github.com/UniversitaDellaCalabria/uniAuth/releases/tag/v1.0.0 Next minor releases will focus on the updates coming from pySAML2. Next major releases will introduce OIDC through django-oidc-op (oidcendpoint) https://github.com/peppelinux/django-oidc-op Thank you idpy community ____________________ Dott. Giuseppe De Marco CENTRO ICT DI ATENEO University of Calabria 87036 Rende (CS) - Italy Phone: +39 0984 496961 e-mail: giuseppe.demarco at unical.it

5 years, 5 months

1
0
0 0

Notes: idpy dev call, 17 December 2019

by hlflanagan＠sphericalcowgroup.com

Attendees: Giuseppe, John P , Johan, Hannah Sebuliba, Antonis, Nikos, Ivan, Hanna Short, Christos, Heather Regrets: Roland 0. Agenda bash 1. OIDC Federation update a. OIDF poll open until 7 January 2020 (https://openid.net/foundation/members/polls/196 <https://openid.net/foundation/members/polls/196>) Requires OIDF membership to vote, but that isn’t expensive for individuals 2. GitHub review a. OIDC implementations Idpy Board agreed last week to take the OIDC python libraries under idpy. Roland and OIDF have to make sure IPR is clear and Roland will then move the GitHub repositories into idpy. Over time, we will deprecate the pyOP libraries. b. Satosa - https://github.com/IdentityPython/SATOSA <https://github.com/IdentityPython/SATOSA> New front end for Satosa being worked on by Antonis and Nikos. The initial work is being done outside GitHub (because it is part of another project). New Satosa release - includes a (potentially) breaking change around how we map to OIDC claims that have multiple values. When we create a new response towards an RP, the internal representations have multiple value (e.g., given name has 2 values). The OIDC spec does not dictate how to handle multiple values; that must be defined per claim. Sometimes the values are separated by a space, sometimes an array. The core claims in Satosa are now defined, and other claims are also being defined. See the documentation for more detail. Next on the list for development: https://github.com/IdentityPython/SATOSA/pull/280 <https://github.com/IdentityPython/SATOSA/pull/280> https://github.com/IdentityPython/SATOSA/pull/279 <https://github.com/IdentityPython/SATOSA/pull/279> https://github.com/IdentityPython/SATOSA/issues/179 <https://github.com/IdentityPython/SATOSA/issues/179> https://github.com/IdentityPython/SATOSA/issues/148 <https://github.com/IdentityPython/SATOSA/issues/148> Also a request by Giuseppe to look at: https://github.com/IdentityPython/SATOSA/pull/220 <https://github.com/IdentityPython/SATOSA/pull/220> - These require some architectural decisions about if/how to create new hooks in modules. Ivan will consider the options. https://github.com/IdentityPython/SATOSA/pull/216 <https://github.com/IdentityPython/SATOSA/pull/216> - Should be easy to merge. https://github.com/IdentityPython/SATOSA/pull/214 <https://github.com/IdentityPython/SATOSA/pull/214> - Ivan needs to review this one in more detail. c. pySAML2 - https://github.com/IdentityPython/pysaml2 <https://github.com/IdentityPython/pysaml2> Next on the list for development: https://github.com/IdentityPython/pysaml2/pull/647 <https://github.com/IdentityPython/pysaml2/pull/647> https://github.com/IdentityPython/pysaml2/pull/518 <https://github.com/IdentityPython/pysaml2/pull/518> https://github.com/IdentityPython/pysaml2/pull/602 <https://github.com/IdentityPython/pysaml2/pull/602> Will also start looking at signing and encryption. Hannah Short is willing to assist. d. pyFF - https://github.com/IdentityPython/pyFF <https://github.com/IdentityPython/pyFF> Leif is working on the PR for pyFF 2.0. This will drop the front end from the pyFF repo; the front end and UX will be under thiss.io (which is not an idpy project). 3. AOB Hackathon - did not get a lot of people; having it overlap the sessions did not work well. Suggestion was made to make another hackathon on 23 March, immediately before the eduGAIN town hall. Tutorial - rather than dev work, suggest we try this at the BoF planned for TNC Workshop - suggest we try a more focused dev day where we define in advance what things people will work on; this will require a bit more framing but has the possibility of more code as an outcome. Maybe use the TIIME meeting for this? Heather to send out a poll to see what idpy developers would be interested in. Next call scheduled for January 7. Ivan (and other team members) will be traveling that day to an eduTEAMS meeting; Ivan to verify whether he can make that day or if we need to move the call.

5 years, 6 months

5
9
0 0

Reminder: idpy dev call (off week) 17 December 2019

by hlflanagan＠sphericalcowgroup.com

Meeting URL https://bluejeans.com/252755948 <https://bluejeans.com/252755948> Meeting ID 252 755 948 Agenda: 0. Agenda bash 1. OIDC Federation update a. OIDF poll open until 7 January 2020 (https://openid.net/foundation/members/polls/196 <https://openid.net/foundation/members/polls/196>) 2. GitHub review a. Oidc implementations: b. Satosa - https://github.com/IdentityPython/SATOSA <https://github.com/IdentityPython/SATOSA> c. pySAML2 - https://github.com/IdentityPython/pysaml2 <https://github.com/IdentityPython/pysaml2> d. pyFF - https://github.com/IdentityPython/pyFF <https://github.com/IdentityPython/pyFF> 3. AOB

5 years, 6 months

2
1
0 0

Shift in time/format for the idpy dev call, 10 December 2019

by hlflanagan＠sphericalcowgroup.com

Hola a todos! As discussed on the last call, rather than have a conference call tomorrow, we will be encouraging people to tune into the Identity Python slack channel to participate in the Hackathon. The hackathon starts at 09:00 UTC -6 (an hour after our usual call time), and the slack channel can be found here: https://join.slack.com/t/identity-python/shared_invite/enQtNzEyNjU1NDI1MjUy… I look forward to “seeing” you tomorrow! -Heather Sent from my iPad

5 years, 6 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Idpy-discuss