just cut pyFF 2.0.0 - its up on pypi and github.com/SUNET/docker-pyff has been updated to support building 2.0.0. The most important difference is of course that 2.0.0 has undergone extensive cleaning. All frontend applications - ie the admin UI and discovery service - have been given their own separate projects and pyFF is now an API server first and foremost. The admin UI is called github.com/SUNET/mdq-browser and the DS is famously become github.com/TheIdentitySelector/thiss-js from the seamlessaccess.org project.
Over the next few days I will spend some time updating the documentation - which has become a bit out of date - esp with more examples to illustrate a lot of the features that are part of pyFF but are sometimes less well known.
Another news for 2.0.0 is that support for python before v 3.7 has been dropped.
Thanks! Heather
As described in the Statues of IdentityPython [1], roughly half the seats for the idpy Board are opening for nominations. The following members have completed their one-year terms:
Ivan Kanakarakis (current chair)
Mike Jones
Chris Whalen
Roland Hedberg (at-large)
They are all eligible to be nominated again for a new board term.
The term for these seats is now shifting to a two-year cycle, such that half the board will be up for nomination each year.
Participants on the idpy-dev list act as the nominating committee for the idpy board. If you would like to nominate someone (or self-nominate) please contact me directly no later than 24 January 2020.
b. March 23 Hackathon/Workshop in Stockholm
Also, there will be a (small) f2f meeting at TIIME in Vienna.Will talk about how things are now, and where the platforms might go.
Suggest having a workshop style meeting on the 23rd. It is a more specific audience given they will be there about eduGAIN. Will build the list of things to work on during the TIIME meeting. Will have to allow for some flexibility on site. In general, topics will definitely include Satosa, pySAML2, pyFF, OIDC libraries
Next steps: Heather to set up registration, send an announcement, and start a wiki page of topics.
2. OIDC Federation update
a. Second Implementer’s Draft of OpenID Connect Federation Specification Approved <https://openid.net/2020/01/08/second-implementers-draft-of-openid-connect-f…>
No one voted against (yay!). There were some discussions at TechEx on things to add to the specification; that will happen now that this version fo the draft is approved.
There are plans for several interop workshops this year; could possibly run this in parallel to the idpy workshop, or some other time during the Town Hall. There will also be interop testing during TNC20. Still in discussion re: NORDUnet and/or IIW. There are currently 3 implementations ‘in the wild’.
b. Repository status
Waiting to hear from Mike Jones (OIDF) on whether they are okay with moving the repositories out from under OIDF.
3. GitHub review
a. OIDC implementations
(See above)
b. Satosa - https://github.com/IdentityPython/SATOSA <https://github.com/IdentityPython/SATOSA>
Ivan will be making a new release for Satosa to account for the new pySAML2 release (to include a hint for the dependencies). There will also be an update to the version of the LinkedIn API that we use It should be compatible to the previous one. Also an update to allow the proxy to be a URL path. See:
https://github.com/IdentityPython/SATOSA/pull/279 <https://github.com/IdentityPython/SATOSA/pull/279>
https://github.com/IdentityPython/SATOSA/pull/280 <https://github.com/IdentityPython/SATOSA/pull/280>
https://github.com/IdentityPython/SATOSA/issues/179 <https://github.com/IdentityPython/SATOSA/issues/179>
Next on the list: work on logging. Need to make some change there, and this will eventually happen across all libraries. Ivan to coordinate with Hanna Sebuliba and Scott Koranda offline.
c. pySAML2 - https://github.com/IdentityPython/pysaml2 <https://github.com/IdentityPython/pysaml2>
There is a new release for pySAML2 that includes a security fix. See email from Ivan on 13 January 2020, Subject " [Idpy-discuss] PySaml2 v5.0.0 - Security release"
Alexey Sintsov and Yuri Goltsev from HERE Technologies reached out and
reported a XML Signature Wrapping (XSW) vulnerability. The issue
affects responses with signed assertions. PySaml2 can be tricked to
think that an assertion had been signed and use the assertion
information, when in reality the Signature points to another part of
the xml document that is controlled by another party.
The issue was assigned CVE-2020-5390 and is now fixed in the latest
pysaml2 release.
The relevant code commit that fixes is the issue:
https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521… <https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521…>
Changes include an introduction of a new test file that tests handling of unknown elements. The vulnerable use cases are when you have signed assertions but unsigned responses.
Note: we should probably revise the incident handling procedure. It needs to be simplified (it currently has Ivan talking to himself at different stages). We should also discuss how to announce these security events. Should we warn the community that a security vulnerability has been found, and tell them when we’re going to do the announcement? Yes.
Apart from the security fixes, there are a handful of other changes. They are breaking changes (thus the new major number). In the future, security changes and breaking changes should not be included in the same release if possible. In this case, though, the security change is itself something of a breaking change, and it plus the other (small) breaking change were not too major a set of changes.
Reminder that we are not back porting security fixes. If others want to work on that, they can create branches.
d. pyFF - https://github.com/IdentityPython/pyFF <https://github.com/IdentityPython/pyFF>
Heather will ask Leif to send out an update.
4. AOB
Our next call is 21 January 2020; note that the second half overlaps the eduGAIN Baseline Maturity call, so people may drop off early.
2) These all are easy pull requests that can be easily merged after a fast revision, b) d) and e) are pure bugfixes:
a) ldap_store refactor: https://github.com/IdentityPython/SATOSA/pull/252 <https://github.com/IdentityPython/SATOSA/pull/252>
Will merge. This is mainly a discussion between Pepe and Scott.
b) Cookie state exception fix/workaround: https://github.com/IdentityPython/SATOSA/pull/250 <https://github.com/IdentityPython/SATOSA/pull/250>
Will merge.
c) multiple user_id: https://github.com/IdentityPython/SATOSA/pull/222 <https://github.com/IdentityPython/SATOSA/pull/222>
Could also do this via a microservice; may have one that already does this. Ivan will let Pepe know; having an example in this PR before closing would be helpful.
d) sign_alg/digest_alg policy fix: https://github.com/IdentityPython/SATOSA/pull/216 <https://github.com/IdentityPython/SATOSA/pull/216>
There is a similar PR on pySAML2 about introducing these options. (It was easier in Satosa.) Could map this to different configuration options to the backends, but would then need to map everything. It’s still a question on how to handle the different configurations between pySAML2 and Satosa.
Will merge this now, and when we have support in pySAML2 code, we can drop this from Satosa. Will still need to work on generalizing this.
e) selectagle dig/sign algs in backends: https://github.com/IdentityPython/SATOSA/pull/214 <https://github.com/IdentityPython/SATOSA/pull/214>
The previous one (216) is a bug fix; this one is a proposed change. Still, see above as it still applies
3) The possibility to select the backend to use in base of the entity Id used for authentication. Proof of concept here: https://github.com/IdentityPython/SATOSA/pull/220 <https://github.com/IdentityPython/SATOSA/pull/220>. I cannot do a separate microservice because this implementation needs a little but easy implementation into SATOSA core, I tried to code it as easy to read as possible.
This extends custom routing. Ivan will look at it.
2. Hackathon planning - https://wiki.refeds.org/pages/viewpage.action?pageId=44959235 <https://wiki.refeds.org/pages/viewpage.action?pageId=44959235>
Note that you have to register (even if you’re a speaker).
What do people need to get started? Suggest setting up a VM for Satosa so that people have a ready-made environment. Can set up a small image with everything ready and packed in, with no other setup. Will put it in the repository as an image. Will reuse this for other purposes (including future Hackathon). In the past, we’ve talked about having images that demonstrate different use cases; can use this for small demos.
Action item for Ivan; will try to have that this week
For the OIDC Federation table - they need to have read the specification and understood it. There will be at least three people at this table, including two Java programmers. When they have something running, will start doing interop testing; Roland will have entities available for them to talk to to test their code. The SimpleSAMLphp programmer will also be there, but he may be at another table. The developers will have their own environment with them on their laptops.
Need to ask for white boards.
Would be good if the EIDAS people would be there.
John suggests looking at using this https://github.com/sitya/samlidp <https://github.com/sitya/samlidp> as a fast sp/idp deployment; might not be the best fit.
Christos points out that they have an instance that might allow people to spawn SPs there. But if you want the developer the experience to deploy the IdP, then need to do more. Probably don’t need the IdP to do anything special; need to focus on developing the proxy and microservices.
Pepe: as SP I used this for my tests: https://github.com/peppelinux/Django-Identity/tree/master/djangosaml2_sp/dj… <https://github.com/peppelinux/Django-Identity/tree/master/djangosaml2_sp/dj…> and pysaml2 idp I used uniAuth ( https://github.com/UniversitaDellaCalabria/uniAuth <https://github.com/UniversitaDellaCalabria/uniAuth>)
If anyone else has more ideas on what they’d like to see during the Hackathon, please post to the list or send to Ivan
3. AOB
Next call: 3 September 2019. Will discuss status of Hackathon prep, OIDC libraries (if Roland is available), any pyFF updates (if Scott/Leif are available), and items from the mailing list.
1) Handle inconsistent context.state. The following PR it's just a proof-of-concept and needs more attention for a better rationale: https://github.com/IdentityPython/SATOSA/pull/272 <https://github.com/IdentityPython/SATOSA/pull/272>. I think to prevent the possibility to make authnRequest with invalid/inconsistent/corrupted context, this PR also introduces the possibility to handle in a definitive way Error or warning messages to end users: https://github.com/IdentityPython/SATOSA/issues/228#issuecomment-520275196 <https://github.com/IdentityPython/SATOSA/issues/228#issuecomment-520275196>
Ivan: Code assumes that we will always be in a situation where the cookie will be there. Need to change that and indicate when the cookie is missing. We may also have some implicit actions being done, authentication response assumptions based on things we find in that cookie, or the query parameters, or the body of the query response. Can fix this by starting with this PR, but more will need to be done so we don’t need to have a user friendly message.
Ivan: We don’t want to mess with HTML templates. What we want is an API that will allow us to return information about the error to other services for rendering. We still need to restructure the logging; that will help match the logging message to other error messages.
Ivan for this PR, Ivan will rephrase the message then accept the PR. It is only a first step in what needs to be done.
Attendees:
Heather, Ivan, Roland, Scott, Peter, Christos, Giuseppe
Notes:
1 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
The authors of draft-ietf-regext-rdap-openid are considering the use of the OIDC Federation spec. Heather has put Roland/Giuseppe in touch with the authors.
All the libraries are being updated to make it through the OIDC test suite; oidcop is the last one to be updated and is in final review. When this is complete, we can continue to work such as development efforts around identity assurance (EKYC group). The interop work is coming out of fintech. The verification of claims is related to the FAPI work; it's one part. There is a client verifcation method called MTLS, but if you're an RP that wants to use it, you have to be able to look at the certs used during the TLS communication; that's not possible in the current libraries (see https://www.python-httpx.org/advanced/#ssl-certificates)
b. Satosa - https://github.com/IdentityPython/SATOSA
Will be creating a new release for Satosa; various bug fixes.
Ivan has created a new label, "Next Release", which will tag issues and PRs that will be merged into the next release so that people know what's coming next. Ivan needs to go through the various issues to see if they need to be closed, moved, or whether more work is needed.
Ivan is looking into GitHub actions; Travis is still having problems.
Satosa and the microservices interfaces being updated to support types; goal is to keep the interfaces stable. Will do this via the data classes in pydantic. Hopes to expand this into pySAML2. This is a low level change.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
New release available: https://github.com/IdentityPython/pysaml2/releases/tag/v7.1.0
We now have proper support for verifying signatures for redirect bindings on incoming authn and logout requests. See change log for more details.
There is a new capability to allow for on-demand metadata refresh. the endpoint is implemented in Satosa, but not set up by default. Could a worker in Satosa's web server be reserved for this? Ivan to look into having a separate queue to handle this task.
d. Any other project (pyFF, djangosaml2, etc)
Giuseppe needs to update djangosaml2 with the latest pysaml2.
There is a scalability issue in the eduTEAMs space (OpenID front end and the oidc libraries); they are passing JSON blobs up to 50Mb, which causes time outs. But since the data structure must be what the library expects, it's hard to pull apart this blob. No immediate solutions available.
Thanks! Heather
Welcome to time-change-confusion time of year!
Attendees
Roland, Ivan, Heather
Agenda:
0 - Agenda bash
1 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Third implementor's federation draft is out for vote in the OIDF.
Roland did the last certification step (logout certification for the RP libraries). Those have been submitted, but Roland hasn't heard back yet.
Considering a TNC22 session with Giuseppe on the intended move to an OIDC federation for Italian government entities.
Projects was using a crypto library at version 3 that suddenly jumped to version 35 (they are changing both the code and the versioning scheme) but that broke many things.
b. Satosa - https://github.com/IdentityPython/SATOSA
Preparing a new release that will include resolution to an issue (https://github.com/IdentityPython/SATOSA/pull/392) that the OIDC front end using the old pyop library that did not properly handle error redirect URIs. Will set the minimum version allowed for pyop to 3.3.1. The changes bring us closer to phasing out pyop.
Ivan will redo the Satosa docker image, adding additional documentation along with a few other changes. Will be working on updating "types" first. More info will be in the code; it will be a gradual change that starts in the microservices.
https://github.com/IdentityPython/SATOSA/issues/391 - Ivan pushed a fix for this, but wants to expand the fix more to allow for rotating state-encryption keys.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Preparing a new release that will tie the verification request with a redirect binding. Expect a big change log. See https://github.com/IdentityPython/pysaml2/pull/805.
d. Any other project (pyFF, djangosaml2, etc)
No updates.
2 - Discussion
Heather is doing another browser update as part of InCommon's webinar series. Registration not required: https://internet2.edu/i2-online/
Thanks! Heather
