- Idpy-discuss - lists3.sunet.se

idpy dev call CANCELED for 28 February 2023

by Heather Flanagan

Hi all! We don’t have a lot of new things to cover and several folks are going to be attending the R&E/FedCM meeting this week in California, so I’m canceling the idpy call. Our next call is scheduled for 14 March 2023. See you then! Thanks! Heather

1 year, 2 months

1
0
0 0

Setup of Many to One instance

by Little, Cody (Education)

UNOFFICIAL Hey All, We're looking at setting up SATOSA as a SAML proxy for a handful (300+) SAML apps (very basic onelogin php-saml apps) to a single Okta SAML2 app. From reading through the documentation a number of times, I'm a bit confused. Few questions: Do I need to create a front-end config for each SP or just append additional metadata URLs to the metadata array? How are the SPs differentiated from one another if not by entity IDs is this where the client-side cookie comes in? If anyone has some insight around the configuration, any help is much appreciated. Regards, Cody

1 year, 2 months

2
2
0 0

Notes: idpy dev call, 14 February 2023

by Heather Flanagan

Attendees Roland, Heather, Scott, Ivan, Matthew Notes: 0 - Agenda bash 1 - Project review a. General [not for public consumption] Security issues - haven't resolved this yet; will be creating a patch and eventually entirely deprecating the affected package. Regarding the recent security issue reported by Shibboleth, we use the same XML parser but it is restricted to a specific set of rules. We do not appear to be affected by the issue. Ivan is still investigating. b. OIDC - https://github.com/IdentityPython (JWTConnect-Python-CryptoJWT, idpy-oidc, fedservice, etc.) Roland has a fork named fedservice that has a number of updates (this is separate from the fedservice package). Roland has tried to condense it, but that hasn't worked well. It is a massive set of changes. Will want people to try to use the package and see if it breaks. If it does, reach out to Roland for assistance. Fedservice the package is almost update to the latest version of the OIDC federation spec. SUNET will run an OIDC federation POC which will provide us with some useful feedback. [not for public consumption] The Swedish government agency dealing with immigration/emigration want to migrate from a SAML federation to an OIDC federation. They are running a Microsoft proxy and Roland has pointed them to Satosa. They are a java shop, but Roland will suggest they donate money to idpy for Satosa support and support it that way. Note that SUNET is starting work on a digital wallet as part of the EU initiative. This may result in additional packages or libraries, and will primarily support OIDC c. Satosa - https://github.com/IdentityPython/SATOSA No update. d. pySAML2 - https://github.com/IdentityPython/pysaml2 New release has been posted (https://github.com/IdentityPython/pysaml2/releases/tag/v7.3.0) Big items include: • used poetry to clean things up, refactored code style • attribute requirements for subject-id Next release will start using mypy, bump the supported python version to 3.9, and support typing. See https://github.com/IdentityPython/pysaml2/pull/896 After that, will start looking at the use of pyOpenSSL for certificates and temporary file management for Window. e. Any other project (pyFF, djangosaml2, etc) Note that Matthew is going to package up pyFF and the thiss.io service. If anyone would like to work with him on that, please reach out! 2 - AOB What are the benefits of poetry? • https://www.geeksforgeeks.org/using-poetry-dependency-management-tool-in-py… • https://towardsdatascience.com/lets-jump-on-the-poetry-bandwagon-d0b650de17… Thanks! Heather

1 year, 2 months

1
0
0 0

Reminder: idpy developers call, 14 February 2023

by Heather Flanagan

Tuesday, 14 February 2023, 14:00 UTC Zoom: https://us06web.zoom.us/j/83378219417?pwd=dWFLdjRHK3BnRkZMa3VSd2lNaElpdz09 Agenda: 0 - Agenda bash 1 - Project review a. General b. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc) c. Satosa - https://github.com/IdentityPython/SATOSA d. pySAML2 - https://github.com/IdentityPython/pysaml2 e. Any other project (pyFF, djangosaml2, etc) 2 - AOB Thanks! Heather

1 year, 2 months

1
0
0 0

Help: How to set up saTosa

by Malathi Deenadayalan

Hi, I am new to this saTOsa set up. Please can you help me to setup saTosa for my idp. Regards, Malathi

1 year, 3 months

3
5
0 0

Notes: idpy dev call, 31 January 2023

by Heather Flanagan

Attendees: Roland, Johan, Heather, Scott, Ivan, Matthew Notes: 0 - Agenda bash 1 - Administrivia • Board will have their annual meeting next week. Same board slate. • Johan will be off for parental leave until August 2023 2 - Project review a. General b. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc) Roland has been working on documentation aimed towards software developers. Working on the PRs in the OIDC libraries and have merged all but one. Also started rebasing the fedservice fork so we can issue a PR soon for the work done to support federation. This will be a major PR but mostly in the lower level code. This will bring eduTEAMS in sync with this library; at that point there will be no reason to keep separate software running for eduTEAMS. OIDC federation spec is getting closer to being finalized. There have been discussion from people running OIDC federations in the same way that SAML federations are run (one authority collecting the info). There is a difficulty in that one model (OIDC federation spec) assumes end-to-end encryption where the other assumes that encryption stops at the edge and the organization can inspect the payload (required by regulation for banking). Finding a compromise by allowing metadata collection from well-known endpoints. This involves separating the path from the trust model. c. Satosa - https://github.com/IdentityPython/SATOSA Ivan is preparing a new release, but nothing major. Is considering accepting one more PR (https://github.com/IdentityPython/SATOSA/pull/429) and then will cut the new release. See also • https://github.com/IdentityPython/SATOSA/issues/428 • https://github.com/IdentityPython/SATOSA/pull/430 After this release, will move Satosa to using poetry and require Python 3.9. d. pySAML2 - https://github.com/IdentityPython/pysaml2 Next release will see minimum Python requirement to 3.9 (see email to list). Other major updates: • https://github.com/IdentityPython/pysaml2/pull/888 (may need further discussion) • https://github.com/IdentityPython/pysaml2/pull/895 (compatibility changes) A user came back to an issue (submitted as a PR: https://github.com/IdentityPython/pysaml2/pull/665) about how operations are done with xmlsec1. May need to revisit this. By default, pySAML2 uses the xmlsec1 binary. xmlsec1 works with files, so pySAML2 is always writing files to the file system, but Windows cannot automatically clean up those files; they have to have an external process cleaning up the files. This is not fixable. for the *nix systems, there are automatic cleanups, but they are buggy. Person who submitted the issue offered a suggestion (code) but another option is to handle xmlsec1 differently and offer a different back end. If interested, please review and comment on the PR. e. Any other project (pyFF, djangosaml2, etc) 3 - Documentation See OIDC update 4 - AOB Thanks! Heather

1 year, 3 months

1
0
0 0

Reminder: idpy developers call, 31 January 2023

by Heather Flanagan

Tuesday, 31 January 2023, 14:00 UTC Zoom: https://us06web.zoom.us/j/83378219417?pwd=dWFLdjRHK3BnRkZMa3VSd2lNaElpdz09 Agenda: 0 - Agenda bash 1 - Administrivia 2 - Project review a. General b. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc) c. Satosa - https://github.com/IdentityPython/SATOSA d. pySAML2 - https://github.com/IdentityPython/pysaml2 e. Any other project (pyFF, djangosaml2, etc) 3 - Documentation 4 - AOB Thanks! Heather

1 year, 3 months

1
0
0 0

Bumping the minimum supported Python version

by Ivan Kanakarakis

Hello everyone, Within IdentityPython we have agreed to support the Python version that comes with the stable version of Debian. The current stable distribution of Debian is version 11, codenamed bullseye. It was initially released as version 11.0 on August 14th, 2021 and its latest update, version 11.6, was released on December 17th, 2022. Debian stable supports Python 3.9, so I am looking towards bumping the minimum supported Python version to 3.9, for PySAML2 and then for SaToSa. Once this is done, we will be adding typing information to the codebases to ease contributions from other developers and start separating the public APIs from internal code. This will aid in documenting what is there, refactoring the code and cleaning up old and unused code. The plan is to create a new release with the currently merged changes. Then, have a separate release just bumping the minimum Python version required by the package. Expect these new releases to happen within the next week. Cheers, -- Ivan Kanakarakis - sunet.se

1 year, 3 months

1
0
0 0

Notes: idpy dev call, 17 January 2023

by Heather Flanagan

Attendees: Matthew, Roland, Johan, Ivan, Heather, Giuseppe Note: 0 - Agenda bash • py11 - who is maintaining this? 1 - Administrivia a. Board slate for 2023 • Heather Flanagan (Spherical Cow Group) • Leif Johansson (SUNET) • Christos Kanellopoulos (GÉANT) 2 - Project review a. General • python minimal version update; first with pySAML2 (see notes below) and later to Satosa and other libraries b. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc) • Roland's video is now on YouTube. While creating the session, found things to change in the code to be more consistent. That's been complete and the OIDC federation implementation has been updated as well. Question now is what to do with the older PRs from eduTEAMS. Should those PRs be applied first, then Roland's changes, or vice versa? When the work is complete, then Roland will not do any new development (bug fixes only) unless new functionality is absolutely required. Instead will focus on writing documentation for other core developers (not users) • PR for client credentials - nice to have, not necessary • PR for revocation endpoint - that is deployed and running in eduTEAMS; it should come with tests and ok to merge • PR for various changes - fixing or changing some things that came when eduTEAMS migrated to idpy oidc; changes that were never merged on oidc op. c. Satosa - https://github.com/IdentityPython/SATOSA One new issue reported - desire for support for more client authentication methods. Don't want to do this on pyop; should try to push them to use the new front ends. Still wants to move Satosa to using poetry, but hasn't had time yet. d. pySAML2 - https://github.com/IdentityPython/pysaml2 • bumping the minimum supported python version to 3.9 (as supported by latest stable Debian) - some of the updates to various libraries would be much nicer if we stick with a more recent version of python; would be able to use types (among other things). Primary cause for using types is support for better documentation. There are tools that will allow types to be stripped from the code if people in older environments need that. idpy 3.7 is the oldest supported python release, but support for that ends in June. • Ivan to send a note to the mailing list letting people know about this change. Bumping the python version will be its own release for pySAML2, then another release adding support for mypy, then a separate release adding support for types. • start adding typing support (and use mypy) - see python 3.9 discussion. Once you have enough info through the types, it is easier to refactor the code because you know what's there, what cases need to be covered. • this is done in the context of Johan and Fredrik working on adding support for the Anonymous/Pseudonymous/Personalized entity categories e. Any other project (pyFF, djangosaml2, etc) djangosaml2 - new release out; there was a regression from the previous release. pyFF - Matthew is planning to develop a docker official image for pyFF sometime this spring, similar to what he's developed for Satosa. What's on dockerhub now is old and not obviously maintained. Nicole Roy will also be part of this work. • eduTEAMS uses pyFF; they have forked the image and updated it with minor modifications. The problem with pyFF is that the bigger the metadata you give it, the more memory it requires. Could look into breaking the operation into chunks. The only reason the whole payload is required is to calculate the final signature, but that can be done incrementally. Unclear if this change would break anything. eduTEAMS (Ivan) has investigating this on the list, but it's not a high priority. This would be an internal change. • SUNET has also requested some changes and have created a branch with improvements. Need to ask Leif about this. py11 - ok for Johan to be the maintainer and merge his PR? Yes. 3 - Documentation Doc writing guidance: • https://www.writethedocs.org/videos/eu/2017/the-four-kinds-of-documentation… • https://developers.google.com/tech-writing • https://www.technical-communication.org/technical-communication/software-do… • https://ieeexplore.ieee.org/document/625327 (pay walled) Should we post a survey to collect information on the developer's experience to help prioritize/guide our documentation? When a developer lands on the idpy pages, do they have enough information to start contributing and engaging with the community? There are different types of developers - developers who are trying to deploy it, developers who want to add functionality, developers who are trying to find an answer to a specific question. • Roland is focusing on writing documentation for developers who have a specific problem with the current OIDC libraries • Heather and Ivan to review https://github.com/IdentityPython/Governance/blob/master/idpy-projects.md to see if it needs to be updated (see section on Technical quality) Thanks! Heather

1 year, 3 months

1
0
0 0

Reminder: idpy developers call, 17 January 2023

by Heather Flanagan

Tuesday, 17 January 2023, 14:00 UTC Zoom: https://us06web.zoom.us/j/83378219417?pwd=dWFLdjRHK3BnRkZMa3VSd2lNaElpdz09 Agenda: 0 - Agenda bash 1 - Administrivia 2 - Project review a. General • bumping the minimum supported python version to 3.9 (as supported by latest stable Debian) • start adding typing support (and use mypy) • this is done in the context of Johan and Fredrik working on adding support for the Anonymous/Pseudonymous/Personalized entity categories b. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc) c. Satosa - https://github.com/IdentityPython/SATOSA d. pySAML2 - https://github.com/IdentityPython/pysaml2 e. Any other project (pyFF, djangosaml2, etc) 3 - Documentation 4 - AOB Thanks! Heather

1 year, 3 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Idpy-discuss