[Idpy-discuss] Agenda: idpy developers call, 29 October 2019

Hi guys, Regarding pySAML2 I'd like to discuss about: 1. pySAML2 fails some security unit tests ( https://github.com/italia/spid-saml-check) in SPID federation context. Excluding what's strictly linked to SPID, I saw that the followings could expose some issues. Using a SatoSa proxy I got into backend these missing validations: a) issuer format, presence and consistence should be validated: <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> b) Assertion Version: could be 4.1 as well, should be instead always 2.0 c) Assertion IssueInstant: should not be permitted a value in the future, should not be permitted a value into the past d) Subject NameId format: should be validated checking the permitted values, at this moment could be whatever it be e) ... other and details here, all the checks I done: https://github.com/peppelinux/Satosa-saml2saml/blob/master/example/backends… Regarding SATOSA I'd like to discuss about: 1. Session Storage (from cookie to multiple Storage Engines). I'd need to play with it, I'd like to have a clue about this inner feature in relation to the current dev roadmap 2. additional features: a Notification MicroService (ResponseMicroService) that sends email, if email is in the available attributes, on each occurred Authentication (yes it could be extended with telegram bot and others stuffs) Regarding oidcendpoint/JWTConnect-Python-OidcRP 1. Yes, it would be great to decouple oAuth2 libs as an independent dependency (and we know that it will take time) and then have a oAuth2 toolkit ready to produce through this a Client and an AS. I already proposed this in the last meeting but I know that unfortunately I don't always express myself well. I have doubts :) Regarding fedservice 1. It would be great to have a configuration example to start playing with it. Using this application I'd create some use case also consulting the opinions of service operators in IDEM GARR AAI These are not priorities and you know this, it just need to take this notes to reduce my words during meeting ;) best regards Il giorno sab 26 ott 2019 alle ore 01:30 Heather Flanagan < hlflanagan at sphericalcowgroup.com> ha scritto: -- ____________________ Dott. Giuseppe De Marco CENTRO ICT DI ATENEO University of Calabria 87036 Rende (CS) - Italy Phone: +39 0984 496961 e-mail: giuseppe.demarco at unical.it