Attendees: John P., Giuseppe, Hannah, Roland, Scott, Ivan, Alex, Johan, Christos, Heather Notes: 0 - Agenda bash 1 - Discussion    a. <NameIDPolicy> and <NameID> Format attribute See discussions on slack. There is a policy setting; you may want to request a specific NameID format from an IdP, and if you don’t define the config option, what happens? We can request a NameID format in an authN request, and we can advertise in metadata what NameID we support. One thought (Ivan) is that it would be better not to advertise a NameID format, and only when you want a specific format to request it. Alternatively (Christos), do not request anything during the AuthN request, and to list in metadata in preference order the NameID format you will support. [Discussion] Should we leave this config option out, thus not setting the NameID policy at all? We should be able to set the NameID policy; there are use cases where we have to force this. Separating the two config options is a good thing to do. We need to set a NameID policy without a NameID. The string “none” is a hack. We can set some defaults, and if we need more complexity, it should probably be in a microservice. Christos points out that a microservice can’t do this because it’s at the wrong place in the workflow. The microservice architecture would need to be refactored. Satosa defines an internal representation fo the data, and the microservices act on that. When something is defined we need to make sure it can be defined into something for the outgoing protocol; for NameID, at the point the microservices are requested, they don’t have access to the backend or its metadata. We would need to make a change that would allow some or all microservices to run at a different point. If anyone has specific requirements here, please let Ivan know.    b. Custom syntax in YAML -  https://github.com/IdentityPython/SATOSA/pull/316 A new tag that would allow us to specify an environment variable. Use case: a deployment via docker swarm or kubernetes, and it is convenient to inject secrets via environment variables into the containers. Was handled via entry point scripts. The YAML config files are in an open Git repository. This gets cumbersome. Scott implemented a first draft, and Ivan improved it. Could we use py files instead of YAML files? This would work for pySAML2, but not for Satosa. Ivan will think about this a bit more, and then either merge the code or figure out another way to do this. Action item: Scott will improve the documentation (more examples would help) Action item: Ivan to consider this further; code is fine if we go with the current syntax.    c. Shibboleth encryption algorithms Use case: the Shib project has announced that as of v4 of the IdP, default will be GCM encryption. This can be changed either globally or per RP. There are many Satosa SPs that will need to be able to consume that default. This is handled correctly for Satosa, but pySAML2 has two backends for encryption, and one uses xmlsec1, and the other on a python security library. With the xmlsec1, we generate the commands and run them from the xmlsec1 binary. Whether we can read/decrypt the GCM based payloads depends on what xmlsec1 supports. If your openSSL supports the GCM encryption, then xmlsec1 will support it as well, and everything should work correctly. We do need to add the different algorithms to pySAML2. Action item: Scott to open an issue against pySAML2 to help track this 2 - GitHub review    a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc) Will discuss at a future meeting (hopefully at the hackathon). Roland will release new versions tomorrow.    b. Satosa - https://github.com/IdentityPython/SATOSA         i. New release (v6.1.0) -  https://github.com/IdentityPython/SATOSA/releases/tag/v6.1.0 Contains a new middleware dependency that takes care of the SameSite cookie issue. It sets the SameSite attribute to none. Note only Python 3.8 and newer are the only ones that know about the SameSite attribute. There is also a new dependency that takes that cookie, duplicates it, and removes the SameSite attribute; that means it sends two cookies, one with it set, one without. Clients that do not know what the SameSite attribute are about will drop it, and ones that do will have it. Satosa only cares about the cookie it sets itself. Deployer will need to define the configuration that takes the cookie name and the holdback name. See example:  https://github.com/IdentityPython/SATOSA/blob/master/example/proxy_conf.yam… SameSite attribute is set here:  https://github.com/IdentityPython/SATOSA/blob/master/src/satosa/state.py#L50 Monkey patch:  https://github.com/IdentityPython/SATOSA/blob/master/src/satosa/cookies.py#… Release also includes a fix for sessionID. This comes out of some of the updates to logging. The sessionID is now part of the state, not part of where the logs happen. Now set pySAML2 to v5 or newer, in response to a security vulnerability that was patched in v5    c. pySAML2 - https://github.com/IdentityPython/pysaml2    d. pyFF - https://github.com/IdentityPython/pyFF 3 - AOB Thanks! Heather