Hello everyone,
SATOSA at its current state offers an attribute mapping configuration.
Internally, the attribute mapping mechanism does exactly what it
states: it maps attribute values from one attribute name to another.
The current format is as follows (can also be seen here[0]):
attributes:
identifier:
saml: [eduPersonPrincipalName]
openid: [sub]
While this declarative configuration is very useful and is what makes
SATOSA stand out as a proxy, there are cases where for the mapping to
be valid we would need to process the attribute value. Semantically,
that means that rather than mapping what is needed is conversion.
An example use case would be the mapping of the openid 'sub'
identifier to the saml 'eduPersonPrincipalName' attribute. From the
respective specifications[1][2] we can see that the two attributes
have different structure and requirements. The 'sub' identifier is
part of a JSON Web Token and thus inherits all the rules for forming a
valid JWT, plus the requirement of
> [...] It MUST NOT exceed 255 ASCII characters in length. [...]
while, for the eduPersonPrincipalName attribute we read
> [...] It should be represented in the form "user at scope" [...]
In order to map the sub identifier to eduPersonPrincipalName and
conform to the specification, processing of the attribute value should
take place, transforming the sub identifier format to the "user at scope"
format.
We propose a simple, non-intrusive change to the current attribute
mapping configuration format that would allow us to hook into the
mapping mechanism and process the attribute value before mapping it.
Here is the proposed format for the attribute mapping configuration:
attributes:
identifier:
saml: [eduPersonPrincipalName]
openid: [sub]
processor:
module: python.module.that.inherits.from.AttributeProcessor
key1: value1
key2: value2
The proposed change adds a _special_ sub-dictionary named "processor"
under each internal attribute dictionary, that requires the 'module'
key to be present. The 'module' key is the python module path of our
custom module that is responsible to process the attribute value. The
custom module inherits from the AttributeProcessor module, that
defines the interface of the processing method and its invocation.
Extra keys like 'key1' and 'key2' can be set and are passed as
arguments to our module, acting as module specific configuration
options, allowing further configuration flexibility of the processor.
By default, the AttributeProcessor does nothing more than simply
mapping the attribute value, which is what currently happens and what
should happen if "processor" is not set.
The above described format allows us to stay compatible with the
current configuration format, while giving us the choice and
flexibility to further define the mapping behaviour by allowing us to
hook into the mapping mechanism and process the attribute value.
We are currently working on an implementation and we would appreciate
any feedback on the format, the AttributeProcessor interface, naming
of the newly introduced parts ('processor', 'AttributeProcessor',
etc), and your opinion on whether this could be part of the core of
SATOSA.
[0]: https://github.com/SUNET/SATOSA/blob/master/example/internal_attributes.yam…
[1]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
[2]: http://macedir.org/specs/eduperson/#eduPersonPrincipalName
Thanks,
--
Ivan Kanakarakis
According to my notes, there was a proposal for a f2f Sept 27 - 29... is
this still the plan? (It's about two months out, so for US originating
travel the window will rapidly close in terms of getting funding and
logistics in place.)
Thanks,
-Benn-
Hi,
Is there a place yet for contributed microservices?
I ask because I have written a microservice I am calling
"PrimaryIdentifier" for the NIAID use case.
An example configuration might look like this:
module: primary_identifier.PrimaryIdentifier
name: PrimaryIdentifier
config:
idp_identifiers:
- epuid
-
- eppn
- name_id: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
-
- eppn
- edupersontargetedid
- eppn
-
- name_id: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- issuer
-
- edupersontargetedid
- issuer
clear_input_attributes: no
primary_identifier: uid
on_error: https://registration.scienceforum.sc/registry/collaboration_error/co_collab…
With this configuration the microservice will examine the attributes
asserted by a campus/organization IdP and look in the following order
for a value to use as the primary identifier:
1) eduPersonUniqueId
2) eduPersonPrincipalName and SAML2 persistent NameID, in case the IdP
is signaling it reassigns eduPersonPrincipalName
3) eduPersonPrincipalName and eduPersonTargetedId, in case the IdP is
signaling it reassigns eduPersonPrincipalName
4) eduPersonPrincipalName
5) SAML2 persistent NameID
6) eduPersonTargetedId
The special identifier 'issuer' signals that any value found is to be
"scoped" with the entityID of the IdP.
When it finds the first value it can use from that search order it then
asserts that value as 'uid' to the SP.
If no value is found after the configured search order then since
'on_error' is set it will redirect the browser to an "error" service to
handle that error.
Right now we are planning on using a custom COmanage Registry plugin to
"catch" the error and display instructions to the user.
I am wondering if any other project might have use for the microservice?
Any other thoughts?
Thanks,
Scott K
Hi all,
How appropriate that we are back in Austria, which is where we last had serious conversations about Satosa governance! Because we had a few actions out of that earlier meeting that we need to follow up on.
Governance questions for Satosa:
* IPR needs to be sorted out (who will hold it?)
* CLAs need to be in place
* Re-license if required
Since many of the folks from the last meeting are here, how about finding a few minutes to meet on the above? Prioritization to the IPR question (since it is top of the list, and the other things fall from it).
What time(s) do people have available tomorrow (Wednesday)?
-Heather
Sent from my iPad
Sent from my iPad
I need to build a SAML2SAML proxy and would like to adopt SaToSa for this project, which happens to be the Austrian K12 federation. With most IDPs a NREN-like mesh federation would be a straightforward solution, but there are a few requirements that need a proxy:
(1) The IDP for federal employees needs to see all K12 applications appear as a single SP. (The use case is commercial, because the IDP is charging per application and per user.)
(2) For some IDPs: Create/update an LDAP user object for a subset of attributes
(3) Add a profile completion flow for first-time users to confirm/modify email addresses
(4) Allow embedded discovery (SHOULD)
(5) Staying compatible with the SaToSa upstream project.
The attached picture shows the options with 1:1 and 1:n mapping of IDPs. Are both approaches supported by SaToSa? Is it possible to add an interactive flow to the proxy to update profile data?
- Rainer
Works for me too.
/hans
> 30 maj 2017 kl. 13:39 skrev satosa-dev-request at lists.sunet.se:
>
> Send Satosa-dev mailing list submissions to
> satosa-dev at lists.sunet.se
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sunet.se/listinfo/satosa-dev
> or, via email, send a message with subject or body 'help' to
> satosa-dev-request at lists.sunet.se
>
> You can reach the person managing the list at
> satosa-dev-owner at lists.sunet.se
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Satosa-dev digest..."
>
>
> Today's Topics:
>
> 1. Satosa governance meeting at TNC? (heather flanagan)
> 2. Re: Satosa governance meeting at TNC? (Ioannis Kakavas)
> 3. Re: Satosa governance meeting at TNC? (Leif Johansson)
> 4. Re: Satosa governance meeting at TNC? (heather flanagan)
> 5. Re: Satosa governance meeting at TNC? (Niels van Dijk)
> 6. Re: Satosa governance meeting at TNC? (Roland Hedberg)
> 7. Re: Satosa governance meeting at TNC? (Nick Roy)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 30 May 2017 12:00:20 +0200
> From: heather flanagan <hlflanagan at gmail.com>
> To: satosa-dev at lists.sunet.se
> Subject: [Satosa-dev] Satosa governance meeting at TNC?
> Message-ID: <8F7CD832-1FD8-4E19-A883-323298C2D789 at gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
> Hi all,
>
> How appropriate that we are back in Austria, which is where we last had serious conversations about Satosa governance! Because we had a few actions out of that earlier meeting that we need to follow up on.
>
> Governance questions for Satosa:
> * IPR needs to be sorted out (who will hold it?)
> * CLAs need to be in place
> * Re-license if required
>
> Since many of the folks from the last meeting are here, how about finding a few minutes to meet on the above? Prioritization to the IPR question (since it is top of the list, and the other things fall from it).
>
> What time(s) do people have available tomorrow (Wednesday)?
>
> -Heather
> Sent from my iPad
>
>
> Sent from my iPad
>
> ------------------------------
>
> Message: 2
> Date: Tue, 30 May 2017 12:07:14 +0200
> From: Ioannis Kakavas <ikakavas at noc.grnet.gr>
> To: heather flanagan <hlflanagan at gmail.com>
> Cc: satosa-dev at lists.sunet.se
> Subject: Re: [Satosa-dev] Satosa governance meeting at TNC?
> Message-ID: <7de486aa-6f82-442f-91da-450a3b6de324 at noc.grnet.gr>
> Content-Type: text/plain; charset=UTF-8
>
> Hi Heather,
>
> Great idea. I would prefer sometime in the 9.00-10.30 session but I don't really mind if any other time is more appropriate.
>
> Ioannis
>
>
> -------- Original Message --------
> From: heather flanagan <hlflanagan at gmail.com>
> Sent: Tue May 30 12:00:20 GMT+02:00 2017
> To: satosa-dev at lists.sunet.se
> Subject: [Satosa-dev] Satosa governance meeting at TNC?
>
> Hi all,
>
> How appropriate that we are back in Austria, which is where we last had serious conversations about Satosa governance! Because we had a few actions out of that earlier meeting that we need to follow up on.
>
> Governance questions for Satosa:
> * IPR needs to be sorted out (who will hold it?)
> * CLAs need to be in place
> * Re-license if required
>
> Since many of the folks from the last meeting are here, how about finding a few minutes to meet on the above? Prioritization to the IPR question (since it is top of the list, and the other things fall from it).
>
> What time(s) do people have available tomorrow (Wednesday)?
>
> -Heather
> Sent from my iPad
>
>
> Sent from my iPad
> _______________________________________________
> Satosa-dev mailing list
> Satosa-dev at lists.sunet.se
> https://lists.sunet.se/listinfo/satosa-dev
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 30 May 2017 12:12:39 +0200
> From: Leif Johansson <leifj at sunet.se>
> To: satosa-dev at lists.sunet.se
> Subject: Re: [Satosa-dev] Satosa governance meeting at TNC?
> Message-ID: <9b5d535d-2451-a761-bdd6-29e8fc75a918 at sunet.se>
> Content-Type: text/plain; charset=utf-8
>
> On 2017-05-30 12:07, Ioannis Kakavas wrote:
>> Hi Heather,
>>
>> Great idea. I would prefer sometime in the 9.00-10.30 session but I don't really mind if any other time is more appropriate.
>>
>> Ioannis
>
> wfm
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 30 May 2017 12:17:07 +0200
> From: heather flanagan <hlflanagan at gmail.com>
> To: Ioannis Kakavas <ikakavas at noc.grnet.gr>
> Cc: satosa-dev at lists.sunet.se
> Subject: Re: [Satosa-dev] Satosa governance meeting at TNC?
> Message-ID: <2678B8F9-B7C2-4512-9E2D-FA6C3630D8A5 at gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
> Hi Ioannis,
>
> I'd actually like to go to that session, and oddly enough the entire rest of the day is free for me. Do you all tend to go to Plenary?
>
> Sent from my iPad
>
>> On May 30, 2017, at 12:07, Ioannis Kakavas <ikakavas at noc.grnet.gr> wrote:
>>
>> Hi Heather,
>>
>> Great idea. I would prefer sometime in the 9.00-10.30 session but I don't really mind if any other time is more appropriate.
>>
>> Ioannis
>>
>>
>> -------- Original Message --------
>> From: heather flanagan <hlflanagan at gmail.com>
>> Sent: Tue May 30 12:00:20 GMT+02:00 2017
>> To: satosa-dev at lists.sunet.se
>> Subject: [Satosa-dev] Satosa governance meeting at TNC?
>>
>> Hi all,
>>
>> How appropriate that we are back in Austria, which is where we last had serious conversations about Satosa governance! Because we had a few actions out of that earlier meeting that we need to follow up on.
>>
>> Governance questions for Satosa:
>> * IPR needs to be sorted out (who will hold it?)
>> * CLAs need to be in place
>> * Re-license if required
>>
>> Since many of the folks from the last meeting are here, how about finding a few minutes to meet on the above? Prioritization to the IPR question (since it is top of the list, and the other things fall from it).
>>
>> What time(s) do people have available tomorrow (Wednesday)?
>>
>> -Heather
>> Sent from my iPad
>>
>>
>> Sent from my iPad
>> _______________________________________________
>> Satosa-dev mailing list
>> Satosa-dev at lists.sunet.se
>> https://lists.sunet.se/listinfo/satosa-dev
>>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 30 May 2017 12:52:49 +0200
> From: Niels van Dijk <niels.vandijk at surfnet.nl>
> To: <satosa-dev at lists.sunet.se>
> Subject: Re: [Satosa-dev] Satosa governance meeting at TNC?
> Message-ID: <42be73b1-ac90-8b32-476c-51f1672d3ce7 at surfnet.nl>
> Content-Type: text/plain; charset="utf-8"
>
> May I propose we meet during the wednesday plenary, which seems to be
> all about networking..
>
>
> On 30-05-17 12:17, heather flanagan wrote:
>> Hi Ioannis,
>>
>> I'd actually like to go to that session, and oddly enough the entire rest of the day is free for me. Do you all tend to go to Plenary?
>>
>> Sent from my iPad
>>
>>> On May 30, 2017, at 12:07, Ioannis Kakavas <ikakavas at noc.grnet.gr> wrote:
>>>
>>> Hi Heather,
>>>
>>> Great idea. I would prefer sometime in the 9.00-10.30 session but I don't really mind if any other time is more appropriate.
>>>
>>> Ioannis
>>>
>>>
>>> -------- Original Message --------
>>> From: heather flanagan <hlflanagan at gmail.com>
>>> Sent: Tue May 30 12:00:20 GMT+02:00 2017
>>> To: satosa-dev at lists.sunet.se
>>> Subject: [Satosa-dev] Satosa governance meeting at TNC?
>>>
>>> Hi all,
>>>
>>> How appropriate that we are back in Austria, which is where we last had serious conversations about Satosa governance! Because we had a few actions out of that earlier meeting that we need to follow up on.
>>>
>>> Governance questions for Satosa:
>>> * IPR needs to be sorted out (who will hold it?)
>>> * CLAs need to be in place
>>> * Re-license if required
>>>
>>> Since many of the folks from the last meeting are here, how about finding a few minutes to meet on the above? Prioritization to the IPR question (since it is top of the list, and the other things fall from it).
>>>
>>> What time(s) do people have available tomorrow (Wednesday)?
>>>
>>> -Heather
>>> Sent from my iPad
>>>
>>>
>>> Sent from my iPad
>>> _______________________________________________
>>> Satosa-dev mailing list
>>> Satosa-dev at lists.sunet.se
>>> https://lists.sunet.se/listinfo/satosa-dev
>>>
>> _______________________________________________
>> Satosa-dev mailing list
>> Satosa-dev at lists.sunet.se
>> https://lists.sunet.se/listinfo/satosa-dev
>
> --
> Niels van Dijk Technical Product Manager Trust & Security
> Mob: +31 651347657 | Skype: cdr-80 | PGP Key ID: 0xDE7BB2F5
> SURFnet BV | PO.Box 19035 | NL-3501 DA Utrecht | The Netherlands
> www.surfnet.nlwww.openconext.org
>
>
>
https://github.com/SUNET/SATOSA/pull/89
Sorry about the cryptic name...
This is a PR for attribute-based authorization, eg so you can say "must
have employee at .+ to access this service" etc.
I will push example config to the PR tomorrow...
Cheers Leif
Hi,
It appears that SATOSA and pysaml2 only support SHA1 signing, ie.
<ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
Is that correct?
Thanks,
Scott K
Hi all,
There will be a SaToSa bar BoF on Wednesday, April 26, starting around
4:30pm at the I2GS conference hotel (though if that bar is too small, we
may move). If you are going to be at I2GS and want to talk about SaToSa,
come join us!
-Heather
