Roland, Ivan, Matthew, Heathter
1 - Administrivia
a. Website update - need to mention all the idpy OIDC projects, djangosaml2; Heather
to check GitHub to see what else is missing from the website
1 - GitHub review
a. OIDC - https://github.com/IdentityPython
Roland has updated the federation libraries to match the spec. Will be running an interop
event in the next few weeks
Working on a seminar re: the design architecture for the OIDC projects, but that will
require some updates to the code to match the architecture he originally designed. The
project has strayed a bit from the original design (which is an expected evolution).
Roland will announce this on the idpy slack channel. Expect at least two hours. There will
be a slide deck and/or notebook that will also be published.
grantmanager has been updated as per feedback from Giuseppe
b. Satosa - https://github.com/IdentityPython/SATOSA
Matthew haas aa reference implementation of Satosa in AWS. Working on getting approvals
from his employer to publish it. Will be doing Internet2 TechEx ACAMP sessions on the
docker image and how to use it to get started. It's similar tot the Shibboleth
reference implementation on AWS. This is intended to show a quick start to Satosa. Will
want to add on proper validation testing (unsure how to do that now).
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Planning to make a release (see updated document on how to publish a release). Will also
name it alpha or beta to see how that works.
One big MR (https://github.com/IdentityPython/pysaml2/pull/877
- reformatting code,
removed older python code, fixes as part of flake). Once this is done, will push the new
docs out to readthedocs.
• pyupgrade to fix "legacy Pythonisms"
• autoflake to remove unused imports (either left behind by pyupgrade, or otherwise
• flynt, to fix non-f-string string formatting
• flynt -tc, to fix string concatenation too (which is more intrusive and could be unsafe,
but tests should catch things)
More changes in the queue:
- response name id instead of
response assertion name id; similar to issue 866. What's proposed directly in this PR
isn't ideal for a broader audience; choices need to be explicit and under the
- changing the default behavior and
requiring signed responses by default; there is a suggestion to not allow unsigned
responses at all, but that makes testing harder. There's also a lot of broken stuff
out there, so being able to turn signing off selectively is aa good debugging tool.
- OpenSSL library updates (not
related to the recent bug). Ivan wants to remove dependency on this library.
Will be diving into some of the older PRs after this new release.