Hi Leif,
I added 2 pipes to buildin.py:
- publish_html creates static HTML views of IDPs and SPs, using XSLT based on Peter Schober’s alternative to MET;
- publish_split: similar to store, but added validUntil and creates signed XML-file per EntityDescriptor. This can be consumed dynamically by ADFS in an IDP role.
I put it directly into buildin.py because it shares some code with the sign pipe. Is this viable from your PoV - if yes, I would make an PR.
Cheers, Rainer
Hi all,
being part of Commons Conservancy brought up yet another subject,
which is whether we should add a header with license information in
every file in the projects under idpy. This is not something done in
an abstract way, there is a specific format modelling this information
(see https://spdx.org/ and https://reuse.software/ - more specifically
https://reuse.software/practices/2.0/) Still, I find it problematic.
We want to open up the question to the wider community and consider
their thoughts on this. The forwarded message below is discussing this
subject. You can see the question we posed, the answer we got and my
comments. Feel free to tell us what you think on this.
---------- Forwarded message ---------
Date: Thu, 16 May 2019 at 09:56
> ---------- Forwarded message ----------
> Date: May 8, 2019, 8:15 AM -0700
>
> > Why does CC think having a single license file per project is
> > insufficient? Our thought is that if we can avoid adding a header to
> > every single file, that would be nice, esp. given we already have this
> > info in the license file and we have the Note Well.
>
>
> this is not just our opinion, but something that is an industry and
> community standard for legal compliance these days. When companies like
> Siemens, Samsung or Honeywell use some code in one of the hundreds or
> thousands of devices and systems in their product line, they need to be
> able to provide the correct license and a download of the exact version.
> This means machine readability too.
>
I've actually observed the opposite of that. Communities abandon the
"license in every file" model, and just use a single LICENSE file in
the root of the project. The LICENSE file contains license
information, that is, it is not a single license but it has exception
sections and so on.
> To quote from https://reuse.software/practices/2.0/ :
>
> Scroll to the section "2. Include a copyright notice and license in each
> file"...
>
> "Source code files are often reused across multiple projects, taken from
> their origin and repurposed, or otherwise end up in repositories where
> they are separate from its origin. You should therefore ensure that all
> files in your project have a comment header that convey that file’s
> copyright and license information: Who are the copyright holders and
> under which license(s) do they release the file?
>
Continuing from above, the standardization of package-management
formats and tools has helped exactly with that: to avoid distribution
of single files, and instead provide packages and modules. It is bad
practice and considered a hack to copy files. Nobody liked that model
and everyone is moving away; it is unstructured, it becomes
unmanageable and it will cause problems.
> It is highly recommended that you keep the format of these headers
> consistent across your files. It is important, however, that you do not
> remove any information from headers in files of which you are not the
> sole author.
>
> You must convey the license information of your source code file in a
> standardised way, so that computers can interpret it. You can do this
> with an SPDX-License-Identifier tag followed by an SPDX expression
> defined by the SPDX specifications."
>
> (the text goes on for a while after this, to clarify the point but this
> is the basic gist of it)
>
> There is a nice Python tool to check:
>
> https://github.com/fsfe/reuse-tool
>
> I hope this makes sense
>
Well, it does not make complete sense. We're talking about licensing a
project. A project is not just code; there are data files (html, xml,
yaml, json files), binary files (archives/zip, images, audio, video,
etc), text files (configs, ini-files, etc) all "not-code". How do you
mark those files? Does the LICENSE file need a license-header? The
json format does not define comments, how do you add a header there?
If a binary file does not get a license header, why should a file with
code get one?
I would expect there to be a way to have the needed information
unified. If the files themselves cannot provide this information it
has to be external; thus the LICENSE file. If someone is worried about
somebody else re-using single files that do not have license
information (a python file, a png image, etc) there is really nothing
you can do (the DRM industry has been trying to solve for a long time;
and still your best bet is "social DRM").
Since, we're developing on open source with a permissive license, even
if someone does that, should we be happy that someone is actually
using what we built or sad that the files they copied did not have a
license header? And if they include the license information of that
copied file in their project's LICENSE file, is this solved?
Having pointed these contradictions, I am thinking that the "license
in every file" model seems to be a step backwards. It is introducing
overhead and does not really solve the problem, while at the same time
it enables a culture of bad practice (copying files around).
Cheers,
--
Ivan c00kiemon5ter Kanakarakis >:3
Hi all,
in my setup, SATOSA may listen on multiple interfaces/ports/vhosts, and
not all are accessible to all users. Therefore when sending the
authentication response, the IdPs must redirect the users to the
'correct' AssertionConsumerServiceURL. The problem is that the SAML2
backend always selects the first ACS address in the request
(src/satosa/backends/saml2.py:289).
I'd like to select the ACS URL based on the host name of the request
(context["http_headers"]["HTTP_HOST"] specifically). What do you think
about it? Would you consider such a pull request?
I'm still not entirely sure what to do if there's no match. I guess
Shibboleth SP used to specify the ACS URL in the AuthnRequest using
information from HTTP_HOST(?), since I remember seeing error messages on
IdPs when no AssertionConsumerServiceURLs in the metadata matched the
request. Even if I remember right, this might not be the best approach,
because I could think that it'd be more user friendly if SATOSA could
signal the error instead of the IdP, but this might be use case
dependent.
Thanks,
Kristof
Hi,
What is exactly the relationship between the attribute name format and
the mapping within attributemaps?
I couldn't fully understand that part of the code, but empirically it
seems that only the 'last' mapping file is considered, so it's not
possible to have multiple files for the same attrname-format, only one
mapping per name format is allowed. If this is correct, then adfs_v1x.py
and adfs_v20.py being separate files is pretty misleading.
Also, the satosa tree contains a subset (I didn't verify, whether it is
a true subset or not) of the pysaml's default attributemap dir, what is
the purpose of that directory?
Thank you,
Kristof
Hi!
In my calendar there is an IdPy meeting today.
Heather said at the last meeting the she would not be able to make the one today, her being at a meeting in Amsterdam.
Unfortunately I will also be unable to make the meeting today.
— Roland
Attendees:
Roland, Heather, Johan, Scott, Matthew
Regrets:
Ivan, Giuseppe
OIDC Libraries
• session management code: session was defined as one users from one client having one authentication. Based on that and user consent we create a grant. eduTEAMS wanted client authentication with no user involved, so not an OIDC flow but an OAuth flow. They did this by using the client info twice, so Roland has changed session management to grant management, conducting sessions so there can be more clients, no users. Now needs to update the documentation; that's in progress (it's a mess).
• Getting closer to the final OIDC Federation specification. Authors are now meeting weekly to clean up all remaining issues. Roland is now working on implementing the latest version.
Single Logout
• Hannah still working on this. (see notes from last call)
Documentation
• Are poetry and markdown going to be the standard tools/formats for all idpy?
• note that we may be able to use pandoc to convert documentation where necessary
• Matthew is working on the function documentation. It's not complete, but will submit a PR with what he has
Thanks! Heather
