Virtual sprint to improve the SAML story in Plone - dm.zope.saml2 and collective.saml2 [Proposal]

Continuing the discussion from Trying to troubleshoot Saml2 SSO between Zulip and Plone:

Let me start by saying, SAML2 works with enough effort. The proposal that follows is with the goal of improvement.

I'd love to see some improvements to the SAML story on Plone. Anyone open to a mini virtual sprint some time in July or August? I would really appreciate some feedback on this idea.
@dieter, is this something you're able to support (mostly because you're the author and maintainer on pypi), even to be available to support releasing the updates to pypi?

Merging useful code
Looking at the forking history of dm.zope.saml2, it seems that some "good stuff" hasn't made it back to pypi.

Examples of interesting code:
On the Jazkarta fork, making use of the came_from variable for redirects
On the collective fork, disabling csrf on post

Adding new capabilities

  • I'd like to be able to force attributes to be returned from dm.zope.saml2 when acting as an Identity Provider (IdP), especially when they aren't requested by the SP (mostly because I have an issue with Zulip, which does not request attributes as an SP)
  • I'd love a simple control panel implemented in collective.saml2

Proposed goals

  1. Review and merge useful changes, already implemented on some of the forks, back to dm.zope.saml2
  2. Make the collective branch the authoritative branch for dm.zope.saml2 (assuming there are no issues with this)
  3. Fix collective.saml2 to work with Python 3 (It looks like simply changing the dependency info for PyXB). There's already an issue logged for this
  4. Deploy updates to pypi

Stretch goals

  1. Enhance collective.saml2 to implement a control panel in Plone
1 Like

dm.zope.saml2 is maintained in a local repository -- not on github. All forks are unofficial and not supported by me.

For some enhancements, I might be persuaded to accept patches -- but not for any enhancement. For example, I will refuse to add logic to support SAML entities with missing or incomplete metadata description: there are easy workarounds outside dm.zope.saml2.

:point_up: so moving it to the collective will be an issue?

What about the other capabilities mentioned above?:point_down:

and forcing attributes to be returned even if not requested with RequestedAttribute.

I just want to be clear on the constraints.