Plan for SAML Authentication 4.x

I'll roll a -beta1 once the under-review patches are committed. (Current estimate: next week. But don't count on my promises.)

A stable release will be done once all functionality has tests. This was a promise to the 1.x branch maintainer. I don't have a detailed view of what is needed there; will dive into testing as time allows.

Adding a few release candidates as related issues, maybe there are more that I've missed

Standardized the title.

I'll wait for a little while to see what happens with #2900968: Attribute mapping module and then roll a beta.

Hey roderik,

I can jump in and help with the unit/functional testing. Just let me know where I can start if you've already. Thanks!

Update: I'm not rolling a beta yet since nathandentzau indicated the SamlService will need to be refactored a bit, to make it suitable for testing.

After that interface stabilizes, there may be a beta, or immediately an rc... depending on the test coverage I guess. I'll ping cweagans for opinions when we're there.

There's a number of patches already RTBC in queue (php 7.2 compatibility one of them)
Tests also needs setup for the new 3.x branch and clean-up of remains of simple test

Also it needs issue to create new alpha and plan beta before RC, personally we using ~6 patches on projects now

The low hanging fruit didn't hang as low as I expected. It increased my understanding of the SAML Toolkit's options though, so that's a plus.

I'm still doing the first subpoint; there are a few (1-3) issues left in the queue.

In the meantime, a new maintainer has appeared from an organization that wanted a release for the D9 issues now, so there's a new alpha release already.

Here's the next iteration of my plan: (Note this is only my personal plan; so far the work on module 8.2.x and up has been ~95% un-funded, and if it stays that way / there is no considerable help, it will just be prioritized among any other paid and volunteer projects I have.)

Part 2 - path to "tested stable" version

1)

Work on externalauth issue #3179148: Redo authmap_alter / register events.. (Basic summary: basically 'noone' is using externalauth's events. I want to change them so they become more usable.) Write tests for it; get buy-in from other module users.

There may be more work I want to do on externalauth v2 first, if that means moving existing code from this module over to externalauth to make it more broadly usable by others, at the same time as making this module smaller. (I have my eye on the "link existing user by name / mail" part.)

Some aspects of the current patch may change still - but the important part is getting the change to the events in. If that doesn't happen, I'm going to build this module on a forked ExternalAuth class, because it makes the rest of the work that much easier/clearer.

2)

Apply #2925171-14: Use externalauth::register event vs hook_user_presave to make this module work on the new version of externalauth v2. This un-spaghettifies this module's code considerably, and makes it easier to test.

It also retires at least one event in this module (because we'll use externalauth's).

At the same time we're changing events, we can change the values passed into the event. The array of attributes should be replaced with a more fully formed value object (either the \OneLogin\Saml2\Auth object or something resembling it), so that event handlers can access more than just the attributes.

3)

Write automated tests for the rest of the module. After point 2 this becomes easier.

Release stable 4.x.

Part 1

In 2016 (!) when taking over the work toward 8.x-2.x, I promised to not release a stable version before it had proper automated tests.

However... the slow pace of this project combined with the large current user base (without many bug reports) points toward publishing a stable release for the current version, even though that doesn't have tests. I do not think the existence of that version will impede the 4.x release, whenever that will happen.

My plan is to properly handle all in-review issues before doing that. (There's not that many, but still: timeline unknown.)

'Part 1' is done now. A 3.0-rc1 version has been released.

It would be great if you could test this version. a 3.0 release is planned a few weeks from now.

Friendly reminder: A stable release (even with missing features or known bugs) would be great because it would mean that the project is covered by the security advisory policy.

So a stable release with caveats could make many users sleep better at night..

I coudn't tell you but we were actually in communication with the security team throughout the RC phase. It took a while, because of several dependencies.

(8.x-3.x wasn't security supported, but a reported issue was present in 8.x-1.3 which made it need an official security release.)

8.x-3.1 (security release) is out now, so everything is now also officially security supported.

Thanks for the update, and thanks to everyone who responsibly worked on resolving this security issue and getting the fixes out!