My contribution focused on extending the oidc module in SimpleSAMLphp to support credential issuance flows compliant with OpenID4VCI draft 15. The goal was to create a lightweight, standards-aligned issuer that could be easily adopted by identity providers (IdPs) in federated environments.

To validate the implementation, I demonstrated credential issuance using three different wallets:

• Sphereon Wallet
• Lissi Wallet
• Data Wallet

Since the specification is still in draft phase, each wallet had different capabilities compatible with different specification draft, with an overview of the supported features below.

By embedding OpenID4VCI into SimpleSAMLphp, we enable existing IdPs to act as credential issuers with minimal disruption, paving the way for:

• User-centric credential management in academic and research settings
• Cross-wallet compatibility through standards-based issuance
• Future integration with OpenID4VP for selective disclosure and verification

Since this is “just” a proof-of-concept, I’m happy to share the code and documentation with anyone interested in exploring the implementation. However, please note that this is not a production-ready solution.

My next milestone is to implement OpenID4VP support in SimpleSAMLphp, enabling full issuer–holder–verifier flows. This will allow verifiable credentials issued via OpenID4VCI to be presented and verified using OpenID4VP protocols, completing the trust triangle.

If you frequently use SSH for tasks like connecting to remote servers or pushing code to Git repositories, you’ve likely encountered the need to manage your private keys. One of the most convenient ways to streamline your workflow is by automating the activation of ssh-agent and adding your private key each time you open a terminal.

Why Use ssh-agent?

ssh-agent is a background process that manages your private keys and provides secure authentication without requiring you to repeatedly enter your passphrase. Once your private key is loaded into the agent, it remains available for use during the session.

You can manually start ssh-agent by running:

eval $(ssh-agent -s)

This command starts the agent and sets the necessary environment variables, such as SSH_AUTH_SOCK, which allows other processes to communicate with the agent.

To add your private key to the agent, use the ssh-add command:

ssh-add ~/.ssh/id_rsa

Replace ~/.ssh/id_rsa with the path to your private key if it’s not the default location.

Automate the Process

To avoid repeating these steps every time you open a terminal, you can add them to your Bash startup script.

Edit Your Bash Startup Script

The appropriate script depends on how your terminal starts:

• For login shells: Edit ~/.bash_profile or ~/.profile.
• For non-login shells: Edit ~/.bashrc.

Typically, you’ll want to modify ~/.bashrc:

nano ~/.bashrc

Add the following code:

# Start ssh-agent and add SSH private key
if [ -z "$SSH_AUTH_SOCK" ]; then
    eval "$(ssh-agent -s)" > /dev/null
fi

# Add the private key to ssh-agent
ssh-add ~/.ssh/id_rsa > /dev/null 2>&1

• if [ -z "$SSH_AUTH_SOCK" ]: Ensures that ssh-agent is started only if it’s not already running.
• ssh-add ~/.ssh/id_rsa: Adds your private key to the agent.
• Output redirection (> /dev/null 2>&1): Suppresses output for a cleaner terminal experience.

Apply the changes

After editing your ~/.bashrc, reload it to apply the changes:

source ~/.bashrc

Verify the Setup

To check if ssh-agent is running and your key is added:

1. Verify the agent is running:

   echo $SSH_AUTH_SOCK
   

   If the output is a valid file path, the agent is active.

2. List the loaded keys:

   ssh-add -l
   

   If your key is listed, the setup is working.

Handling Multiple Keys

If you use multiple SSH keys, you can add them by repeating the ssh-add command for each key:

ssh-add ~/.ssh/id_rsa
ssh-add ~/.ssh/id_ed25519

Alternatively, you can store all your keys in a file and loop through them:

for key in ~/.ssh/*; do
    [ -f "$key" ] && ssh-add "$key" > /dev/null 2>&1
done

Optional: Persistent ssh-agent Sessions

If you want ssh-agent to persist across terminal sessions, consider using a tool like keychain. Keychain manages ssh-agent and reuses the same agent for all your sessions.

Install keychain (on Debian/Ubuntu):

sudo apt-get install keychain

Add the following to your ~/.bashrc:

eval $(keychain --eval --agents ssh id_rsa)

This approach ensures ssh-agent is available in all terminal sessions without restarting it.

By automating the activation of ssh-agent and adding your private keys, you can save time and simplify your workflow. Whether you use the manual setup or tools like keychain, this setup ensures secure and seamless SSH access every time you open a terminal.

When working with multiple Git repositories, such as a private workplace repository and a public GitHub repository, you might want to use different configurations for user.name and user.email. For instance, your workplace might require you to use your corporate email, while you might want to use your personal email for GitHub. In this blog post, we’ll explore how to dynamically set Git configuration based on the remote repository using Git’s includeIf directive.

Problem Overview

By default, Git applies global configurations from your ~/.gitconfig file to all repositories. However, this can become problematic when:

• You need to use different identities for different repositories.
• Switching between private and public repositories requires manual updates to your configuration.

Fortunately, Git provides a powerful feature for conditional configuration which automatically enables us to apply the correct configuration based on the remote repository.

Conditional Configuration Using includeIf

Git’s includeIf directive allows you to specify separate configuration files that are applied based on certain conditions. One such condition is hasconfig:remote.*.url, which matches remote URLs using glob patterns.

Here’s how we can configure Git to apply different user.name and user.email values based on the remote repository URL.

Step 1: Edit Your Global Git Configuration

Open your global Git configuration file (~/.gitconfig) in your favorite editor:

git config --global --edit

Add the following lines to include separate configurations based on the remote URL:

[includeIf "hasconfig:remote.*.url:*github.com*/**"]
    path = ~/.gitconfig-github

[includeIf "hasconfig:remote.*.url:*your-workplace.gitserver.com*/**"]
    path = ~/.gitconfig-work

Step 2: Create Separate Config Files

Create the additional configuration files that the includeIf directive references.

GitHub Configuration

Create ~/.gitconfig-github with the following content:

[user]
    name = GitHub User
    email = github.user@example.com

Workplace Configuration

Create ~/.gitconfig-work with the following content:

[user]
    name = Work User
    email = work.user@company.com

Step 3: Verify Remote URLs

To ensure that the configuration applies correctly, confirm the remote URLs of your repositories:

git remote -v

For GitHub, the URL might look like:

git@github.com:username/repo.git

For the workplace repository, it might look like:

https://your-workplace.gitserver.com/repo.git

Step 4: Test the Configuration

Navigate to a repository and verify the applied user.name and user.email:

git config user.name
git config user.email

You can also check the origin of the configuration:

git config --show-origin user.email

This will confirm which configuration file is being used.

Why *github.com*/** Works

Git interprets remote URLs hierarchically, so /** is required to match the path structure after github.com. The pattern, *github.com*/**, ensures:

• It matches any URL containing github.com.
• It accounts for additional components in the URL (e.g., /username/repo.git).

Similarly, for the workplace repository, *your-workplace.gitserver.com*/** ensures a proper match.

Debugging Tips

If the configuration doesn’t work as expected:

1. Check Git Version: Ensure you are using Git 2.38 or later:

   git --version
   

2. Check Remote URL: Verify the remote URL with:

   git remote -v
   

3. Trace Configuration Loading: Use the following command to debug how Git applies configurations:

   GIT_TRACE=1 git config user.email
   

Conclusion

Using conditional configuration in Git can save you from the hassle of manually switching user.name and user.email for different repositories. By leveraging includeIf and patterns like *github.com*/**, you can dynamically apply the correct identity based on the remote URL.

This approach not only simplifies your workflow but also ensures you’re always using the right credentials for the right repositories.

Overview of the Project

The main objective of the project was to extend the SimpleSAMLphp OIDC module (available here) to support the OpenID Federation specification.

This implementation was done by developing a dedicated library that included essential tools such as Trust Chain and metadata resolution. The resulting library can be found here.

Key Features Implemented

1. Automatic Client Registration:
   • This feature allows Relying Parties to register automatically, provided they meet the federation’s trust requirements.
   • Trust Chains were validated and used to determine the eligibility of RPs for registration, ensuring secure and streamlined onboarding.
2. Trust Chain Resolution:
   • Developed mechanisms to dynamically fetch, resolve, and validate entity configurations and subordinate statements using authority hints.
   • The library incorporates caches for efficient entity configuration and Trust Chain management.
3. Federation Endpoints:
   • New federation-specific endpoints were introduced in oidc module for issuing entity statements

Ensuring compatibility with other OpenID implementations was crucial. This involved extensive testing and validation using various tools, including testbed environments provided by the Incubator.

Demonstration and Future Prospects

The module was tested in real-world scenarios, showcasing its capabilities in integrating Relying Parties into federated ecosystems. The implementation paves the way for broader adoption of OpenID Federation in education and research communities.

With the OpenID Federation standard gaining traction, this work contributes to advancing interoperability, security, and automation in identity federation systems. Future development may involve extending this implementation to other systems and enhancing the scalability of the solution.

I had the privilege to present the outcomes during the GEANT Incubator’s Public Sprint Demo on December 17, 2024. The recording is available here: https://surfdrive.surf.nl/files/index.php/s/bzO4H037LWQ7P4w

I had the opportunity to contribute to the GEANT Trust & Identity Incubator (T&I Incubator), where we tackled a pressing challenge: ensuring robust SAML signature validation across federations. This was a critical effort aimed at strengthening the security of Service Providers (SPs) within national research and education networks (NRENs).

Why SAML Signature Validation Matters

SAML (Security Assertion Markup Language) is foundational for identity federation, enabling secure communication between Identity Providers (IdPs) and SPs. However, misconfigurations or vulnerabilities in SPs can lead to security gaps. Proper signature validation ensures that SAML assertions are genuine, tamper-proof, and from trusted sources, which is essential for safeguarding sensitive academic and research data.

Project Goals and Use Cases

Our goal was to develop a scalable software solution to test SAML deployments’ core security aspects. We targeted several use cases, including:

• Self-testing by SPs preparing for production deployment.
• Automated testing during SP onboarding or periodic reviews by federation operators (FedOps)

Technical Innovations and Tools

The project leveraged the Nuclei vulnerability scanner, known for its extensive library and automation capabilities. Custom templates were created to simulate various test scenarios, such as invalid or missing signatures. Key highlights included:

• Test IdP: A SimpleSAMLphp instance with a custom “conformance” module for flexible test configurations.
• Deployment Flexibility: The solution supported multiple SP implementations, including SimpleSAMLphp, Keycloak, and Shibboleth.

Delivering Impact

The sprint demo showcased our progress, highlighting successful validation tests against both compliant and non-compliant SP setups. By enabling proactive security checks, the project promises to help NRENs maintain a trustworthy identity federation ecosystem.

The final demo is available here: SAML Signature Validation demo

The SimpleSAMLphp module is available here: https://github.com/cicnavi/simplesamlphp-module-conformance

Reflections and Next Steps

Participating in the T&I Incubator reinforced the importance of collaboration between technical, operational, and legal stakeholders. As we refine the solution, the focus will be on streamlining deployment and extending support to a broader range of SPs.

This project was a rewarding journey into the complexities of identity federation security. It’s a step forward in fostering trust and resilience in global research and education networks.

Some of the module features are:

• Enables tracking of authentication events, synchronously (during authentication event) or asynchronously (in a separate process using SimpleSAMLphp Cron feature)
• Provides endpoints for end users to check their personal data, summary on connected Service Providers, and list of authentication events
• Comes with default DBAL backend storage, meaning the following database vendors can be used: MySQL, Oracle, Microsoft SQL Server, PostgreSQL, SQLite. Other backend storages can be added by following proper interfaces.
• Comes with setup procedure which sets up backend storage. In case of Doctrine DBAL this means running SQL migrations which create proper tables in configured database.
• Each backend storage connection can have master and slave configuration (master for writing, slave for reading)
• Has tracking functionality available which persist authentication data to backend storage. Currently, module can track connected services and authentication events. Other trackers can be added by following proper interfaces.
• Tracking can run in two ways:
  • synchronously - authentication data persisted during authentication event typically with multiple queries / inserts / updates to backend storage.
  • asynchronously - only authentication event job is persisted during authentication event (one insert to backend storage). With this approach, authentication event jobs can be executed later in a separate process using SimpleSAMLphp cron module

The final video presentation of the project is available here:

https://wiki.geant.org/display/GWP5/Further+improve+the+personal+profile+page?preview=/589070368/695042748/Profile_page_final-demo.mp4

SSP is one of the most widely used IdP/SP software in the GÉANT community. Furthermore, the adoption of OIDC is growing steadily, especially third-parties use it commonly. The OP module offers NRENs and institutions an easy way to provide an OIDC IdP.

The result of the project is a dedicated SimpleSAMLphp module available here: https://github.com/simplesamlphp/simplesamlphp-module-oidc

Currently supported flows with passing conformance tests are:

• Authorization Code flow, with PKCE support (response_type ‘code’)
• Implicit flow (response_type ‘id_token token’ or ‘id_token’)
• Refresh Token flow

The final presentation of the project is available here: https://wiki.geant.org/download/attachments/320471174/SSP-OIDC_demo.mp4?version=1&modificationDate=1632930580727&api=v2

With the release of PHP 8, the must-have development tool Xdebug version 3 is also released, which brings many great new features, but also a change in configuration options.

Dockerfile

Here is the Dockerfile I use to create a Debian container with PHP 8:

https://github.com/cicnavi/dockers/blob/master/dap/80/Dockerfile

Xdebug 3 configuration

Since Xdebug version 3, there are different config options used to start up the debug process. Main difference is to use option ‘xdebug.mode‘ to set the way in which the Xdebug will run, ‘xdebug.discover_client_host’ to set how will Xdebug find about the client host to connect to, and the new default port which is now 9003.

Another important setting is ‘xdebug.client_host’ which should be set to ‘host.docker.internal’ when working with Docker containers.

Full settings that I use are listed in .ini file:

https://github.com/cicnavi/dockers/blob/master/dap/80/php-config/custom.ini

The steps that I present here can ensure that you have considered all the customization in your current app, while also taking into account all the modifications that are introduced in the new Laravel version.

Let’s say that we have an app that is currently run on Laravel 5.5.* and that we want to bump it to Laravel 7.*.

Just to note, my dev setup is:

• Windows with WSL (Linux Subsystem)
• Docker (Debian, Apache, PHP)
• PHPStorm
• Git

Steps for upgrade from Laravel 5.5.* to Laravel 7.*

Git

The first thing I do is create the following:

• in the current app repository create a new Git branch from ‘master’ branch. It can be called something like ‘laravel-7-upgrade’. This branch is used to do all code modifications regarding upgrade process, in the current app. When we are ready at the end, we will merge it with the ‘master’ branch. The sample command to do this is:

cd ~/projects/app
git checkout master
git checkout -b laravel-7-upgrade

• create a new app which will hold a Laravel 7 base installation. When I say ‘base installation’, I mean installation of Laravel without any custom modifications. We will use this new app to check and sync code between Laravel 5.5.* app and Laravel 7.* app. The result we want is to have our current app and a Laravel 7 app in sync. To create a new Laravel 7 app, create a new Laravel project (of course in a separate directory):

cd ..
composer create-project --prefer-dist laravel/laravel:7.* laravel-7-base-installation

• create a new app which will hold a Laravel 5.5.* base installation. We will use this app to check the differences between our production Laravel 5.5.* app and a basic Laravel 5.5.* installation. This way we can be sure about all the custom things that we have introduced in the current app.

composer create-project --prefer-dist laravel/laravel:5.5.* laravel-55-base-installation

Comparing Code

The next step is to compare the code in the current app to the Laravel 7 base installation, and sync all the changes. While we do this we can also reference the Laravel 5 base installation, so we can be sure about our custom modifications in the current app. Let me show you what I mean.

To do code comparison I use an app called WinMerge. It is an Open Source differencing and merging tool for Windows. It can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.

Let’s compare our current app with the Laravel 7 installation.

In another WinMerge window, I’ll also do a comparison for current app and a Laravel 5.5 base installation.

Now, let’s take a look in comparison results for Laravel 7 base installation. Note the marked ‘Left only’ result.

The ‘Left only’ means that those two folders exist only in our current app. I will copy those two folders to the Laravel 7 installation, so we can keep track of all the changes we have made when comparing our current installation with Laravel 7 installation. Remember, the final result we want is that the current app and a Laravel 7 app are in sync (that it has same content). To copy selected directories we can use button ‘Copy right’:

This action will place marked directories in the Laravel 7 app. If we refresh the comparison results (press F5 or click refresh button), we will see that they are now marked as ‘Identical’.

Let’s take a look at the next example. We have a ‘Kernel.php’ file with different text.

When we open it, we see the next difference.

The only difference is in one comment. We can safely use the version from Laravel 7, since it is newer. To do this, first we mark the difference and then click on the ‘Copy left’ button.

This will bring the change from Laravel 7 app to the current app. When we save and refresh comparison results, we will again see the Kernel.php file marked as ‘Identical’.

Next case, let’s check out Handler.php file.

Right at the top we see a difference in the ‘use’ statements. The question now is which lines are our custom modifications that we have made in the current app, and which changes are introduced in the Laravel 7 version.

To check our custom modifications, we can compare current app with the Laravel 5.5 base installation. Let’s see a comparison result for the Handler.php file in Laravel 5.5 base installation.

As we can see, our custom modification is that we have used ‘AuthenticationException’ and ‘ValidationException’, so we know that those two lines must stay. Other lines correspond to the Laravel 5.5 base installation, so we can consider changing them.

The sync procedure now is this. I copy right to the Laravel 7 app all custom code. I copy left to the current app all newly introduced code if it doesn’t conflict with current code.

For example, in the new Laravel 7 app, it now has the line ‘use Throwable’ instead of ‘use Exception’. After a brief look at the code, I see that the report() method signature is changed and that it now uses Throwable. The Exception class is never used anymore in this file, so I can be sure to replace ‘use Exception’ with ‘use Throwable’. The result for this difference would be this:

Let’s move down and take a look at other difference in the same file. We have a method report() which now has a different signature.

As we mentioned, it now accepts Throwable parameter instead of Exception. Let’s take a look at the comparison with Laravel 5.5 so we can be sure about our modifications that we have introduced in this file regarding this method.

We can see that the only change is in the body of the method. This means that we have to take the new signature from Laravel 7, and also use our custom code in the method. In this case, despite the new signature, the custom code will still work, since Exception is Throwable. The result for this difference is:

There are still some differences in this file, but to solve them the concept is the same as mentioned in the previous example. Let’s take a look at the next case.

The marked files (new config files) are only available in Laravel 7 app, so we can safely copy them to our current app (copy left).

When it comes to cache files, it actually doesn’t matter which version we choose to keep, since those are generated files.

They will actually be cleared in the end of the procedure, so we can use left or right version just to have them in sync, so they don’t get in our way.

Refreshing Composer and Node packages

Regarding Composer, when it comes to ‘composer.json’ file, in essence you should replace all the packages with the newer version from Laravel 7, and keep all the custom packages in your current app. File ‘composer.lock’ can be deleted, as well as ‘vendor’ directory.

Similar thing is with the file ‘packages.json’ – use newer version packages, and keep custom packages. Directory ‘node_modules’ can be deleted.

After the configuration of composer.json and packages.json file, we can enter the following commands to refresh all the newly included and kept packages. Commands are entered for current app:

composer install
npm install

File ‘composer.lock’ can now be copied right to the Laravel 7 app, just to have it in sync. Folders ‘vendor’ and ‘node_modules’ can be copied also, or the above-mentioned commands can be run in the Laravel 7 folder.

To clear all the auto generated files in Laravel, we can now enter the following command in the current app:

php artisan optimize:clear

We can also sync this with the Laravel 7, just to have it in sync.

At the end of the procedure of comparing current app with Laravel 7 app, we should have all the folders and files in sync, like this.

Check Laravel upgrade guides

Laravel documentation is good at covering all the changes a new version brings. When upgrading, we should read all the upgrade guides from the version we are upgrading from to the version we are upgrading to.

For example, in our case, we have regularly used ‘str_’ helper functions which were available in Laravel 5.5 https://laravel.com/docs/5.5/helpers#available-methods, and which are now replaced with ‘Illuminate\Support\Str’ class https://laravel.com/docs/7.x/helpers#available-methods. This means we must search for all occurrences of ‘str_’ functions in our code and replace them with corresponding methods available in ‘Str’ class.

PHP version

If you didn’t already run your Laravel 5.5.* application on higher PHP version, upgrading from Laravel 5.5.* to Laravel 7.* also means upgrading from PHP 7.0 to PHP 7.2 or higher. If this is the case, this means that we should also check upgrade guides for PHP:

• https://www.php.net/manual/en/migration71.php
• https://www.php.net/manual/en/migration72.php
• https://www.php.net/manual/en/migration73.php
• https://www.php.net/manual/en/migration74.php

Save production state and git commit 🙂

When you have made sure that your app works, you can make your commit for the upgrade. When upgrading, I like to have as few commits as possible, preferably only one 🙂 (as if everything works from single commit :P).

git commit -m "Upgrade to Laravel 7"
git push -u origin laravel-7-upgrade

If you remember, we are on a new branch used for upgrade only. We still have our production state available on the ‘master’ branch. Let’s just keep current production state in a new branch, so we have it available for quick checkout.

git checkout master
git checkout -b pre-laravel-7-upgrade
git checkout master

At this point, since everything works, we can merge the upgrade branch with master and push it to repository.

git merge laravel-7-upgrade
git push