Maintenance - Update SimpleSAML 1.18.x to 1.19.x

[alexfinnarn]

There is a known issues with CU's Federated Ping authentication and versions of the simpleSAMLphp library greater than 1.19.0. Until this is resolved, simpleSAMLphp is pinned to the 1.18.8 version.

I am updating the library for a D7 site and see that 1.18.8 is the safest version to use based on the wiki: https://github.com/cu-uis/cu-starterkit-project/wiki/SAML-Configuration

What exactly are the issues with CU's configuration? Looks like 2.0.0 is in the works as far as a target to update to https://github.com/simplesamlphp/simplesamlphp/releases?page=1

[kreynen]

There are more details about this in https://gitlab.cu.edu/ode/online-cu-starterkit/-/issues/71, but the gist is that one or more of the default values of the 1.19.x config files cause a failure with Chrome. The 1.19.x code with 1.18.x config worked, but explaining that a site building needed to first install 1.18.x and copy those configuration files before updating the code to 1.19.x was too confusing.

The real solution is to diff the configuration files and figure out which default setting change isn't compatible with CU's Ping configuration.

[kreynen]

• Update the certs on existing sites using current SAML configuration
• Update the code and configuration to 1.19.x
• Confirm Chrome loopback issue still exists
• Bisect the changes and new defaults to determine where the issue is
• Work with IAM team to determine correct defaults

[kreynen]

From https://simplesamlphp.org/...

2022-07-01: The first release candidate for SimpleSAMLphp 2.0 is available - Good
2022-07-01: SimpleSAMLphp 1.19.6 has been released - Good... .. should look at this since PHP8.0 support is really only supported in > 1.19.2 and PHP8.1 support requires > 1.19.4

2022-04-21: Job opening! SimpleSAMLphp lead maintainer. - Need to watch this as well as https://www.drupal.org/project/simplesamlphp_auth/issues/3303939

[alexfinnarn]

https://www.drupal.org/docs/contributed-modules/saml-authentication/using-drupal-aswith-a-saml-sp has been updated recently, but it looks like they don't consider SimpleSAMLphp at all. Maybe time to switch?

...nevermind, it's mentioned, but I feel like they are saying it is more complicated/complex than using the other four modules.

[kreynen]

Pantheon is still recommending https://pantheon.io/docs/shibboleth-sso... not that they provided any support when dealing the the loopback in Chrome.

This is a bit of who takes the time to edit the Wikipedia determines what the facts are.

You might recognize roderik form maintaining projects like https://www.drupal.org/project/samlauth

I don't love simpleSAMLphp, but it is the only library I actually have any experience with.

Looking at https://www.drupal.org/project/samlauth/issues/3289460, they aren't running the tests for samlauth against Drupal 10 or PHP8.1 yet.

Looking at https://www.drupal.org/project/simplesamlphp_auth/issues/3289683, Berdir already has tests passing against D10 and PHP8.1. He also responded to https://www.drupal.org/project/simplesamlphp_auth/issues/3306294 about the simpleSAMLphp 2.0-rc1 release...

Note that due to symfony compatibility, you will not be able to install 2.x on Drupal 9, just like you won't be able to install 1.x or 2.x on drupal 10.