1) sigver refactor to have a xmlsec wrapper or a python native library to:
a) disable weaks algorithms
https://github.com/IdentityPython/pysaml2/pull/628
<https://github.com/IdentityPython/pysaml2/pull/628>
b) stop making I/O disk, create new files or do system call to get xmlsec works
https://github.com/IdentityPython/pysaml2/pull/634
<https://github.com/IdentityPython/pysaml2/pull/634>
c) implement/fix some other issues/features related to this
Ivan: What is here can be merged, but more needs to be done.
Pepe: Is there a right moment to let the use choose which tool they want to use to do this
kind of task?
Ivan: there are two backends now, one that directly calls the xmlsec1 binary. The other is
pyxmlsecurity (
https://github.com/IdentityPython/pyXMLSecurity
<https://github.com/IdentityPython/pyXMLSecurity>), which is built through idpy, and
while it does lack some things, basic support for most common operations are there. It
also supports all the py11 stuff. We could extend it to support more things.
Ivan: need to support
https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/sigver.py#L…
<https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/sigver.py#L644>
2) Encrypt Assertion if SP have encrytion keys into its metadata (as Shibboleth already
does). I'll have to dug into code to make a proposal, if there come some suggestions:
I'll appreciate.
Multiple options to configure this behavior. This must be an explicit options; just
because you have an encryption key doesn’t mean you want it to always be used.
See
https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/config.py#L…
<https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/config.py#L36>
See
https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/config.py#L…
<https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/config.py#L104-L106>
b. Satosa -
https://github.com/IdentityPython/SATOSA
<https://github.com/IdentityPython/SATOSA>