Idpy meeting 20 November 2024

Attendees: Johan W, Johan L, Shayna, Ivan, Roland, Hannah S, Ali H, Mikael F

0 - Agenda bash

1 - Project review

a. General -

b. OIDC libraries - https://github.com/IdentityPython (idpy-oidc, JWTConnect-Python-CryptoJWT, etc)

Roland's big PR - lots of changes to idpyoidc. He will divide into smaller chunks and issue as PRs.
upcoming work on audience policies - GRnet

c. Satosa - https://github.com/IdentityPython/SATOSA

Ivan has prepared new patches/releases - haven't posted but has the tags locally. Will announce on slack when the new version is available.
plan to merge in stages
Ivan has been getting requests to easily setup an environment to run satosa and run it locally. He has been thinking about doing something similar to the reflector backend (the reflector backend, instead of going out to a actual idp, immediately creates a payload and returns a response). To start the flow we need a service - create something like the reflector backend which will act as a frontend. It will directly trigger a flow when you try to access it, and once it gets a response it will just show the response. Then we don't need to involve any other service that acts as an SP or IdP. Can configure how we want IdP to behave. Frederik from Umea Universitat - plugin that displayed a page and allowed you to insert your own values for attributes; it also created several profiles. Would like to try and build on this.
Single logout discussion with Hannah Sebuliba

Met with Ivan and Ali in January 2024 to try and merge the work she had done into Satosa. There are some conflicts and Hannah would like guidance how to proceed.
In provious discussions, the recommendation was to hide the single logout capabilities behind a flag in order to control when they are enabled, so that changes will not affect existing workflows. This allows merging without breaking, and testing and testing and fixing things as we go along. Then when everything looks good, either remove the flag, or keep it so people have the option to enable or disable the feature.
Important to document what the new features are - what bindings are supported, what the checks that are implemented actually do, verify messages, signatures, and identifiers within logout request and response messages.
The most important thing is to record what we do with the state. To support logout we need to keep state, The state has to do with the sessions, the identifiers of the users, and the identifiers of requests that came in and correspond to the logout message. Also allows us to avoid attacks where someone could send logout requests using an identifier they found somewhere.
It would be good to update the state diagrams
Hannah felt an important idea was to move the session handling to SATOSA rather than SAML ends - this is under discussion
Ali's work has the storage within SATOSA - some parts of the storage are in the frontend or backend. There is a map between frontends and backends connecting the session. The logout request should not be specific to only one protocol. This required the session to be kept within SATOSA. Currently Ali's work supports Postgres. Can add other adapters. Also has the logout enabled flag.
There are differences in the work Ali and Hannah have done, not just the protocol but also the flow itself. Hannah has worked on SP initiated logout - with SAML SPs and only logs out SAML IdPs. It will not log out OIDC-based IdPs. Ali worked on the OP initiated logout. Even so, the requirements and the state that needs to be kept are very similar.
Need to get back to original code and review it. Should be able to merge PRs independently, as long as they are behind the feature flag. Storage - abstract managed by the proxy and not related to the protocols directly. This will add some complexity before and can be messy. Ivan is not totally sure this is the right way. If code is kept isolated, should work.
There was some discussion on 1) whether the flag should be the same or separate for each protocol. Ivan seemed to think it should be the same overall. 2) Whether the logout should work for both protocols (no matter which protocol initiates the logout, SPs and IdPs from both protocols are logged out). Ivan thinks eventually it should work this way but initially each developer should focus on the protocol they have been working with.
Hannah asks are there any services to use as test RP/OP? At one time Ivan had done someting simple with Apache module - modauth openidc https://github.com/OpenIDC/mod_auth_openidc. Ivan doesn't think she should worry about that right now. Merge the initial patches and then worry about oidc.

d. pySAML2 - https://github.com/IdentityPython/pysaml2

e. Any other project (pyFF, djangosaml2, pyMDOC-CBOR, etc)

new release coming that will allow filtering of idps based on trust authority. Discovery service parts are being tested right now.

two phases - information processed by pyff - produces artifacts that are fed into thiss-ds and are searchable by users.
maybe there can be an information session on this during a future meeting.

2 - AOB

Roland has big demo on digital wallet coming up in Paris.

He has created a document with Giuseppe about profiling the federation specification.