Continuing the discussion from Trying to troubleshoot Saml2 SSO between Zulip and Plone:
Let me start by saying, SAML2 works with enough effort. The proposal that follows is with the goal of improvement.
I'd love to see some improvements to the SAML story on Plone. Anyone open to a mini virtual sprint some time in July or August? I would really appreciate some feedback on this idea.
@dieter, is this something you're able to support (mostly because you're the author and maintainer on pypi), even to be available to support releasing the updates to pypi?
Merging useful code
Looking at the forking history of dm.zope.saml2, it seems that some "good stuff" hasn't made it back to pypi.
Examples of interesting code:
On the Jazkarta fork, making use of the came_from variable for redirects
On the collective fork, disabling csrf on post
Adding new capabilities
- I'd like to be able to force attributes to be returned from dm.zope.saml2 when acting as an Identity Provider (IdP), especially when they aren't requested by the SP (mostly because I have an issue with Zulip, which does not request attributes as an SP)
- I'd love a simple control panel implemented in collective.saml2
Proposed goals
- Review and merge useful changes, already implemented on some of the forks, back to dm.zope.saml2
- Make the collective branch the authoritative branch for dm.zope.saml2 (assuming there are no issues with this)
- Fix collective.saml2 to work with Python 3 (It looks like simply changing the dependency info for PyXB). There's already an issue logged for this
- Deploy updates to pypi
Stretch goals
- Enhance collective.saml2 to implement a control panel in Plone
so moving it to the collective will be an issue?