Hello everybody,
As you may have guessed from the subject of this email, I have the pleasure
of presenting here djangosaml2, in anticipation of its migration to
Identity Python.
In CC Jozef Knaperek, former contributor of pysaml2 and person who from
2016 to date has maintained the fork of this project, now hosted in the
personal github, which today has a fair audience and satisfaction within
the Django community.
Here is:
https://github.com/knaperek/djangosaml2
As is evident, djangosaml2 is an application designed for Django Framework,
written above pysaml2 that presents closely related goals to this. This is
why we believe that bringing djangosaml2 to idpy can be quite natural, and
if we want it also advantageous, for the possibility of increasing its
community.
Currently the project is published on Pypi and the version release policy,
and acceptance of contributions, depends on validating the code by running
unit tests (Tox over Github actions). The coverage of djangosaml2 is
currently less than 80% in the v0.40.1 but higher than 90% for the v1.0.0
version (see branch of the same name). The latter is in the process of
being released and it might be a good opportunity to release it directly
within idpy.
The versions from v0.19.0 to v1.0.0 were made possible by a great
enthusiasm, which arose within its community, manifested following the
first interactions for the requalification of the project, as regards the
feedback offered both in the issues and in the PR pending. Having given so
much trust activated several contributors in a relatively short time makes
us optimistic about the general resilience of the project, such as to think
about the good health of its community and not least the possibility that
this project could hopefully continue to live on external contributions
only.
In any case, the people that are glad to present here djangosaml2, for whom
we undertake the commitment of a management over time, are Me and Knaperek.
I know that we have not written everything but rather we fear we have
written too much. We are available to answer in this thread on further
organizational and managerial aspects of the project.
Sure of your kind reply, we greet you
--
____________________
Dott. Giuseppe De Marco
CENTRO ICT DI ATENEO
University of Calabria
87036 Rende (CS) - Italy
Phone: +39 0984 496961
e-mail: giuseppe.demarco at unical.it
--
------------------------------------------------------------------------------------------------------------------
Il banner è generato automaticamente dal servizio di posta elettronica
dell'Università della Calabria
<https://www.unical.it/portale/portaltemplates/view/view.cfm?100061>
Attending:
Heather, Ivan, Hannah Sebuliba, Scott, Roland, Matthew, John P, Giuseppe
Notes
1 - Status of architecture documentation
Ivan promises to write more down. Heather will continue to nag him until he does.
Has continue thinking about the middleware, and is planning on some restructuring and clarification of the Satosa docs.
We had collected use cases in the wiki (https://github.com/IdentityPython/SATOSA/wiki) and we also spoke about setting up docker containers to demonstrate those use cases. This is something others could do; if interested, please reach out to Ivan.
Also on the list, better documentation for the API which will serve as groundwork for future changes. We are using readthedocs for pySAML2 (see https://pysaml2.readthedocs.io/) but it focuses on the configuration options; needs more.
Team is encouraged to add a GitHub issue for sections of the documentation they are working on so we can keep track of what’s being created. Scott will take a first cut at the pySAML2 top level documentation, and will then write docs on how to spin up a minimal working example of IdP. Matthew will submit his manual install of Satosa documentation: https://gist.github.com/xenophonf/22d0ec836005040a9f7c7bb80b183eda. There is also a strong argument for shifting where we can to a Document Driven Development model, writing the documentation first, share it with others, then write the code.
2 - Potential new project for idpy - status?
a. https://github.com/knaperek/djangosaml2 - Giuseppe has sent an email to the list; Roland has indicated support. Heather will take this to the Board.
This is linked to pySAML2. Having a project that directly uses pySAML2 that allow people to quickly set up an IdP is a good way to help direct usability improvements for pySAML2.
3 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Roland is preparing an issue around session management with the oidcendpoint. He is writing docs on how it should work, and then will work on the code.
Ivan is working on CryptoJWK and will add a new CLI for the ‘use’ flag.
b. Satosa - https://github.com/IdentityPython/SATOSA
Memory leak is still a mystery. This may actually be a problem with gunicorn.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Giuseppe went through the open issues, closing several and making notes on others.
New merges: documentation; changed the default re: signatures; removed all the assertion calls.
Looking at replacing the calls to xmlsec1 and doing the same action in memory.
Ivan has not yet pu shed the changes for the default algorithms. Will switch to SHA-512.
Thanks! Heather
Hola a todos!
I want to highlight something from our meeting notes today: the need for more documentation.
Everyone is encouraged to add a GitHub issue for sections of the documentation they are working on so we can keep track of what’s being created.
Scott will take a first cut at the pySAML2 top level documentation, and will then write docs on how to spin up a minimal working example of IdP. Matthew will submit his manual install of Satosa documentation: https://gist.github.com/xenophonf/22d0ec836005040a9f7c7bb80b183eda.
Ivan will be working on improving the documentation for the APIs, but that can certain use some assistance.
If you are willing to spend a bit of time on this, the work would be most gratefully received!
Thanks! Heather
Attending:
Johan, Heather, Ivan, Hannah Sebuliba, Scott, John, Christos
Regrets:
Giuseppe
Notes
1 - Status of architecture documentation
No update since the last call.
For architecture in general, Ivan will be adding some patches for the middleware idea. The configuration will be part of the middleware; this will not be a breaking change. Also has some additional ideas to wrap parts of the applications (e.g., what we do with the micro services). This would allow easier to extend the micro services.
2 - Potential new project for idpy - status?
a. https://github.com/knaperek/djangosaml2
Notes from Giuseppe:
djangosaml2
Jozef Knaperek (the current repository owner) expressed a favorable opinion for the migration to idpy. I lost him during the holidays but it's probably right that it was! Watching djangosaml2's contributors we can see how many guys contributed in it and also in pysaml2. I think that this migration would be quite natural for many aspects, one of these is the opportunity to extend its community, abandoning the position of "mantainance fork" moving into a more proper and authoritative space. For those who do not know djangosaml2 this is the integration of pysaml2 in Django Framework, it help us creating a SAML2 SP in the full respect of pysaml2 approach. I am sure you have already given it a look. The latter commits have handled a SameSite cookie workaround, similar to which already seen in SATOSA and we are getting ready for a major release (v1.0.0) with a general code refactor (ClassView) and a better code coverage (>89%). v1.0.0 would be a LTS release and probably we'll have a RC for some months before do that. v1.0.0 would have also pysaml2 >=v6.1.0 as dependencies and we're facing pysaml2's breaking changes regarding this. Finally, I'm only a repository admin that are driving djangosaml2 best I can and, at last but not least, a real stakeholder, because I largely use it in my production contexts.
3 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Notes from Giuseppe:
I didn't still produced a debate in #oidc channel, but if I were did it I'd ask about the default policy that oidcendpoint have, regarding the requested scope against the supported or availables, for each RP. In that issue I tried to describe my (usually coloured) experience: https://github.com/IdentityPython/oidcendpoint/issues/73
The goal of this debate would be the possibility to configure the default behaviour (policy) in oidcsession, through oidcendpoint global configuration, that will let each platform administrator decide how to handle the release of unavailable or unallowed scopes.
That's a reference for this:
https://github.com/IdentityPython/JWTConnect-Python-OidcService/blob/51df9e…
Notes from Ivan:
There has been a bug in one of the underlying libraries for ECC crypto in the OIDC endpoints. It is not handling exceptions well. It is fixed, but there is not a release yet. When there is a release, need to force the use of the patch.
b. Satosa - https://github.com/IdentityPython/SATOSA
Ivan is reviewing current issues to come back up to speed.
Mostly working on middleware to add flexibility to what we do.
Ivan is considering the issue of multiple key descriptors - how can we define and coordinate keys? Currently the configuration is messy.
• See also: https://github.com/IdentityPython/SATOSA/issues/334
Merge requests under consideration:
• https://github.com/IdentityPython/SATOSA/pull/332 - dynamic requested attributes. Will be incorporated soon.
• https://github.com/IdentityPython/SATOSA/pull/231 - unsolicited front end work
Will just merge changes as long as they are not breaking changes. All breaking changes will be held and done in one release.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Potential memory leak. Ivan has been using a function trace library to find this (https://functiontrace.com/) It could not follow the forks or threads that were created, but there is a new release of the software that should be able to do that now. eduTeams has a test environment that has a test environment that Ivan will use to continue to track this issue down.
Several pending merge requests:
• https://github.com/IdentityPython/pysaml2/pull/711 - request signing. Very simple, should go through
• https://github.com/IdentityPython/pysaml2/pull/704 - Assumed name format for different attribute elements. The spec dictates that, by default if no format is set, it should be unspecified, which is not what we’re doing. This is a both a breaking change and a fix. This PR also points to https://github.com/IdentityPython/pysaml2/issues/601.
• https://github.com/IdentityPython/pysaml2/pull/665 - how temp files work on Windows. Named temp files don’t work correctly on Windows. We need to wrap this in our own class/structure and detect when we’re using Windows and do things on our own on that system. We can either fix this or not use these files at all (doing these operations in memory), but the library that provides the bindings only has bindings for signing not encryption.
• https://github.com/IdentityPython/pysaml2/pull/660 - allows multiple certificate files. Ivan will be making some changes to the code.
• https://github.com/IdentityPython/pysaml2/pull/645 and https://github.com/IdentityPython/pysaml2/pull/628 - need to change the default algorithms and make them configurable. Will not support MD5 at all. It is easy to display what we support but harder to do internally. These are still a work in progress.
• See also: https://github.com/IdentityPython/pysaml2/issues/712 - the user is using ECC keys for the signing, but internally we assume RSA keys
d. pyFF - https://github.com/IdentityPython/pyFF
4 - AOB
Next call: 15 September 2020
Thanks! Heather
Attendees:
Giuseppe, Ivan, Matthew, Heather, Johan, Hannah, John
Regrets:
Scott
Notes:
1 - Status of architecture documentation
No update; focus is on finding a memory leak.
Will be expanding on the internal data representations, and how the microservices are applied to data representations, and how they get back to the external protocol.
2 - Potential new project for idpy
a. https://github.com/knaperek/djangosaml2
Giuseppe has invited Joseph, the maintainer, to these calls to see about bringing in djangosaml2 under the idpy umbrella.
As a reminder, here are the instructions for adding a project to idpy:
https://github.com/IdentityPython/IdentityPython.github.io/wiki/Adding-and-…
Heather will follow up with the Board in September re: the new project.
3 - GitHub review
Ivan is spending most of his time right now hunting down a memory leak. Other coding is delayed. See Satosa update.
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Status of pkce? OIDC endpoint has support for pkce (a better type of implicit flow). Ivan will be following up on that; sounds interesting.
https://github.com/IdentityPython/oidcendpoint/blob/master/src/oidcendpoint…
Question about whether this generates JWK? We do have scripts that can generate the keys:
https://github.com/IdentityPython/JWTConnect-Python-CryptoJWT/tree/develop/…
You can specify what the key will be used for via the ‘use’ parameter. We currently do not specify that, but might be useful to have. Then it will be easier to generate and use those keys.
b. Satosa - https://github.com/IdentityPython/SATOSA
When running Satosa, a host with 1GB of RAM, after about 3-4 days of processing requests, the memory usage has increased. It’s a slow leak in newer versions of Satosa. It may not even be Satosa itself, but one of the libraries (e.g., OpenSSL library, libxml). If you are restarting Satosa regularly, or don’t have a lot of traffic, this may not be a major impact to you.
Using https://docs.python.org/3/library/tracemalloc.html to help hunt down the source of the leak.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Name format work: https://github.com/IdentityPython/pysaml2/issues/601. PySAML2 assumes the name format value is a URI format. This is a bug on the consumption side. When we parse an attribute element and we don’t find a name format attribute, we should indicate that it is unspecified. When we produce an attribute element, then we have an object and we initialize it with the name format, the name of the attribute, and the value of the attribute. If we don’t specify the name format, then the default is a URI format. We may shift to indicating everything is unspecified unless specified as a URI format.
d. pyFF - https://github.com/IdentityPython/pyFF
4 - AOB
Ivan will be on vacation and miss the next call (August 18); we will cancel that call. Next call is 1 September 2020
Thanks! Heather
Attendees:
Ivan, Giuseppe, Scott, Heather, John
Regrets:
Roland, Matthew
1 - Status of architecture documentation
Ivan wrote up a page on middleware: https://github.com/IdentityPython/SATOSA/wiki/Middlewares
Will be adding more on the usage of of middleware, enabling and disabling them.
Question raised if ASGI is something we want to consider in place of or in addition to WSGI. ASGI is generally a good thing. If performance was critical, this might be of interest where we’re worried about reading/writing to disk, timing, and encryption. Mostly, we don’t need the asynchronicity so the cost in terms of refactoring the code is not worth it.
2 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Giuseppe and Roland have been working through new feature requests (e.g., a configuration validator) which might also be of interest for pySAML2. See https://github.com/IdentityPython/oidcendpoint/issues/70. Many ways to implement this, suggest including the documentation in the validator. This could be a schema. Ivan suggests looking at https://pydantic-docs.helpmanual.io/
b. Satosa - https://github.com/IdentityPython/SATOSA
Added the middleware documentation to the wiki space (see above).
Fixed the metadata generation for the virtual frontend.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
New release is out, which includes changes from Johan needed for the eIDAS proxy node. Mostly changes in the aggregate maps. Some fixes in the docs. New general config option for creating entity attributes that we don’t have specific configurations for. Allows us to set the friendly name attribute and values. See https://github.com/IdentityPython/pysaml2/commit/e5d0b4f0760144430d885165d4…
NameID format config has been changed, and how we handle the NameID format policy. This was a breaking change. See https://github.com/IdentityPython/pysaml2/commit/0c1873da1f280d4921b9c9b3da…
Working on changing the default algorithms. We do need to decide what we want the new defaults to be (currently SHA1). Changing the defaults will be considered a breaking change. Still need to work through how this will be configured. SHA1 is hardcoded in some places. We need better defaults for signing and digesting pieces of XML documents. Given what we do (we are not in a high performance environment) the slight performance hit of SHA512 over SHA256 may not be significant. When issuing responses with poor vendor implementations of SPs, we have to consider whether they can handle the more complex algorithms. We will go with SHA512 as our choice, but need to be clear on documenting how to change the default and consider how to set this as a per-SP choice.
We use a cert to check the types, and whether some things are verified. This is not ideal; certs are stripped out when python code is compiled. Will replace the certs with exception raises, making the type of exception reasonable.
d. pyFF - https://github.com/IdentityPython/pyFF
3 - AOB
Backend initiated responses
Scott has a modification to the SAML front end to support unsolicited flows, so that you can have a URL and specify all the details you want for the flow. This has been useful in COmanage when, after a registration flow, there is enough information to send the user to a specific SP based on their enrollment. If anyone else needs this kind thing, please contact Scott.
Typehints - Should we be using these? Yes, where they make sense. If we can have actually schemas that can verify input/output, and within the system we can then rely on the data that has been verified, that would be good. Typehints should be set where the API is defined.
Should we consider incorporating Django SAML into idpy? Giuseppe will reach out to the Django SAML team and see if they are interest, and then send a message to the idpy-discuss list for feedback.
Thanks! Heather
