- Idpy-discuss - lists3.sunet.se

by None

just cut pyFF 2.0.0 - its up on pypi and github.com/SUNET/docker-pyff has been updated to support building 2.0.0. The most important difference is of course that 2.0.0 has undergone extensive cleaning. All frontend applications - ie the admin UI and discovery service - have been given their own separate projects and pyFF is now an API server first and foremost. The admin UI is called github.com/SUNET/mdq-browser and the DS is famously become github.com/TheIdentitySelector/thiss-js from the seamlessaccess.org project. Over the next few days I will spend some time updating the documentation - which has become a bit out of date - esp with more examples to illustrate a lot of the features that are part of pyFF but are sometimes less well known. Another news for 2.0.0 is that support for python before v 3.7 has been dropped. Thanks! Heather

3 years, 6 months

1
0
0 0

None

by None

As described in the Statues of IdentityPython [1], roughly half the seats for the idpy Board are opening for nominations. The following members have completed their one-year terms: Ivan Kanakarakis (current chair) Mike Jones Chris Whalen Roland Hedberg (at-large) They are all eligible to be nominated again for a new board term. The term for these seats is now shifting to a two-year cycle, such that half the board will be up for nomination each year. Participants on the idpy-dev list act as the nominating committee for the idpy board. If you would like to nominate someone (or self-nominate) please contact me directly no later than 24 January 2020. b. March 23 Hackathon/Workshop in Stockholm Also, there will be a (small) f2f meeting at TIIME in Vienna.Will talk about how things are now, and where the platforms might go. Suggest having a workshop style meeting on the 23rd. It is a more specific audience given they will be there about eduGAIN. Will build the list of things to work on during the TIIME meeting. Will have to allow for some flexibility on site. In general, topics will definitely include Satosa, pySAML2, pyFF, OIDC libraries Next steps: Heather to set up registration, send an announcement, and start a wiki page of topics. 2. OIDC Federation update a. Second Implementer’s Draft of OpenID Connect Federation Specification Approved <https://openid.net/2020/01/08/second-implementers-draft-of-openid-connect-f…> No one voted against (yay!). There were some discussions at TechEx on things to add to the specification; that will happen now that this version fo the draft is approved. There are plans for several interop workshops this year; could possibly run this in parallel to the idpy workshop, or some other time during the Town Hall. There will also be interop testing during TNC20. Still in discussion re: NORDUnet and/or IIW. There are currently 3 implementations ‘in the wild’. b. Repository status Waiting to hear from Mike Jones (OIDF) on whether they are okay with moving the repositories out from under OIDF. 3. GitHub review a. OIDC implementations (See above) b. Satosa - https://github.com/IdentityPython/SATOSA <https://github.com/IdentityPython/SATOSA> Ivan will be making a new release for Satosa to account for the new pySAML2 release (to include a hint for the dependencies). There will also be an update to the version of the LinkedIn API that we use It should be compatible to the previous one. Also an update to allow the proxy to be a URL path. See: https://github.com/IdentityPython/SATOSA/pull/279 <https://github.com/IdentityPython/SATOSA/pull/279> https://github.com/IdentityPython/SATOSA/pull/280 <https://github.com/IdentityPython/SATOSA/pull/280> https://github.com/IdentityPython/SATOSA/issues/179 <https://github.com/IdentityPython/SATOSA/issues/179> Next on the list: work on logging. Need to make some change there, and this will eventually happen across all libraries. Ivan to coordinate with Hanna Sebuliba and Scott Koranda offline. c. pySAML2 - https://github.com/IdentityPython/pysaml2 <https://github.com/IdentityPython/pysaml2> There is a new release for pySAML2 that includes a security fix. See email from Ivan on 13 January 2020, Subject " [Idpy-discuss] PySaml2 v5.0.0 - Security release" Alexey Sintsov and Yuri Goltsev from HERE Technologies reached out and reported a XML Signature Wrapping (XSW) vulnerability. The issue affects responses with signed assertions. PySaml2 can be tricked to think that an assertion had been signed and use the assertion information, when in reality the Signature points to another part of the xml document that is controlled by another party. The issue was assigned CVE-2020-5390 and is now fixed in the latest pysaml2 release. The relevant code commit that fixes is the issue: https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521… <https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521…> Changes include an introduction of a new test file that tests handling of unknown elements. The vulnerable use cases are when you have signed assertions but unsigned responses. Note: we should probably revise the incident handling procedure. It needs to be simplified (it currently has Ivan talking to himself at different stages). We should also discuss how to announce these security events. Should we warn the community that a security vulnerability has been found, and tell them when we’re going to do the announcement? Yes. Apart from the security fixes, there are a handful of other changes. They are breaking changes (thus the new major number). In the future, security changes and breaking changes should not be included in the same release if possible. In this case, though, the security change is itself something of a breaking change, and it plus the other (small) breaking change were not too major a set of changes. Reminder that we are not back porting security fixes. If others want to work on that, they can create branches. d. pyFF - https://github.com/IdentityPython/pyFF <https://github.com/IdentityPython/pyFF> Heather will ask Leif to send out an update. 4. AOB Our next call is 21 January 2020; note that the second half overlaps the eduGAIN Baseline Maturity call, so people may drop off early.

3 years, 6 months

1
0
0 0

None

by None

2) These all are easy pull requests that can be easily merged after a fast revision, b) d) and e) are pure bugfixes: a) ldap_store refactor: https://github.com/IdentityPython/SATOSA/pull/252 <https://github.com/IdentityPython/SATOSA/pull/252> Will merge. This is mainly a discussion between Pepe and Scott. b) Cookie state exception fix/workaround: https://github.com/IdentityPython/SATOSA/pull/250 <https://github.com/IdentityPython/SATOSA/pull/250> Will merge. c) multiple user_id: https://github.com/IdentityPython/SATOSA/pull/222 <https://github.com/IdentityPython/SATOSA/pull/222> Could also do this via a microservice; may have one that already does this. Ivan will let Pepe know; having an example in this PR before closing would be helpful. d) sign_alg/digest_alg policy fix: https://github.com/IdentityPython/SATOSA/pull/216 <https://github.com/IdentityPython/SATOSA/pull/216> There is a similar PR on pySAML2 about introducing these options. (It was easier in Satosa.) Could map this to different configuration options to the backends, but would then need to map everything. It’s still a question on how to handle the different configurations between pySAML2 and Satosa. Will merge this now, and when we have support in pySAML2 code, we can drop this from Satosa. Will still need to work on generalizing this. e) selectagle dig/sign algs in backends: https://github.com/IdentityPython/SATOSA/pull/214 <https://github.com/IdentityPython/SATOSA/pull/214> The previous one (216) is a bug fix; this one is a proposed change. Still, see above as it still applies 3) The possibility to select the backend to use in base of the entity Id used for authentication. Proof of concept here: https://github.com/IdentityPython/SATOSA/pull/220 <https://github.com/IdentityPython/SATOSA/pull/220>. I cannot do a separate microservice because this implementation needs a little but easy implementation into SATOSA core, I tried to code it as easy to read as possible. This extends custom routing. Ivan will look at it. 2. Hackathon planning - https://wiki.refeds.org/pages/viewpage.action?pageId=44959235 <https://wiki.refeds.org/pages/viewpage.action?pageId=44959235> Note that you have to register (even if you’re a speaker). What do people need to get started? Suggest setting up a VM for Satosa so that people have a ready-made environment. Can set up a small image with everything ready and packed in, with no other setup. Will put it in the repository as an image. Will reuse this for other purposes (including future Hackathon). In the past, we’ve talked about having images that demonstrate different use cases; can use this for small demos. Action item for Ivan; will try to have that this week For the OIDC Federation table - they need to have read the specification and understood it. There will be at least three people at this table, including two Java programmers. When they have something running, will start doing interop testing; Roland will have entities available for them to talk to to test their code. The SimpleSAMLphp programmer will also be there, but he may be at another table. The developers will have their own environment with them on their laptops. Need to ask for white boards. Would be good if the EIDAS people would be there. John suggests looking at using this https://github.com/sitya/samlidp <https://github.com/sitya/samlidp> as a fast sp/idp deployment; might not be the best fit. Christos points out that they have an instance that might allow people to spawn SPs there. But if you want the developer the experience to deploy the IdP, then need to do more. Probably don’t need the IdP to do anything special; need to focus on developing the proxy and microservices. Pepe: as SP I used this for my tests: https://github.com/peppelinux/Django-Identity/tree/master/djangosaml2_sp/dj… <https://github.com/peppelinux/Django-Identity/tree/master/djangosaml2_sp/dj…> and pysaml2 idp I used uniAuth ( https://github.com/UniversitaDellaCalabria/uniAuth <https://github.com/UniversitaDellaCalabria/uniAuth>) If anyone else has more ideas on what they’d like to see during the Hackathon, please post to the list or send to Ivan 3. AOB Next call: 3 September 2019. Will discuss status of Hackathon prep, OIDC libraries (if Roland is available), any pyFF updates (if Scott/Leif are available), and items from the mailing list.

3 years, 6 months

1
0
0 0

None

by None

1) Handle inconsistent context.state. The following PR it's just a proof-of-concept and needs more attention for a better rationale: https://github.com/IdentityPython/SATOSA/pull/272 <https://github.com/IdentityPython/SATOSA/pull/272>. I think to prevent the possibility to make authnRequest with invalid/inconsistent/corrupted context, this PR also introduces the possibility to handle in a definitive way Error or warning messages to end users: https://github.com/IdentityPython/SATOSA/issues/228#issuecomment-520275196 <https://github.com/IdentityPython/SATOSA/issues/228#issuecomment-520275196> Ivan: Code assumes that we will always be in a situation where the cookie will be there. Need to change that and indicate when the cookie is missing. We may also have some implicit actions being done, authentication response assumptions based on things we find in that cookie, or the query parameters, or the body of the query response. Can fix this by starting with this PR, but more will need to be done so we don’t need to have a user friendly message. Ivan: We don’t want to mess with HTML templates. What we want is an API that will allow us to return information about the error to other services for rendering. We still need to restructure the logging; that will help match the logging message to other error messages. Ivan for this PR, Ivan will rephrase the message then accept the PR. It is only a first step in what needs to be done.

3 years, 6 months

1
0
0 0

None

by None

1) sigver refactor to have a xmlsec wrapper or a python native library to: a) disable weaks algorithms https://github.com/IdentityPython/pysaml2/pull/628 <https://github.com/IdentityPython/pysaml2/pull/628> b) stop making I/O disk, create new files or do system call to get xmlsec works https://github.com/IdentityPython/pysaml2/pull/634 <https://github.com/IdentityPython/pysaml2/pull/634> c) implement/fix some other issues/features related to this Ivan: What is here can be merged, but more needs to be done. Pepe: Is there a right moment to let the use choose which tool they want to use to do this kind of task? Ivan: there are two backends now, one that directly calls the xmlsec1 binary. The other is pyxmlsecurity ( https://github.com/IdentityPython/pyXMLSecurity <https://github.com/IdentityPython/pyXMLSecurity>), which is built through idpy, and while it does lack some things, basic support for most common operations are there. It also supports all the py11 stuff. We could extend it to support more things. Ivan: need to support https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/sigver.py#L… <https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/sigver.py#L…> 2) Encrypt Assertion if SP have encrytion keys into its metadata (as Shibboleth already does). I'll have to dug into code to make a proposal, if there come some suggestions: I'll appreciate. Multiple options to configure this behavior. This must be an explicit options; just because you have an encryption key doesn’t mean you want it to always be used. See https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/config.py#L… <https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/config.py#L…> See https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/config.py#L… <https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/config.py#L…> b. Satosa - https://github.com/IdentityPython/SATOSA <https://github.com/IdentityPython/SATOSA>

3 years, 6 months

1
0
0 0