Hi,
Is there a place yet for contributed microservices?
I ask because I have written a microservice I am calling
"PrimaryIdentifier" for the NIAID use case.
An example configuration might look like this:
module: primary_identifier.PrimaryIdentifier
name: PrimaryIdentifier
config:
idp_identifiers:
- epuid
-
- eppn
- name_id: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
-
- eppn
- edupersontargetedid
- eppn
-
- name_id: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- issuer
-
- edupersontargetedid
- issuer
clear_input_attributes: no
primary_identifier: uid
on_error: https://registration.scienceforum.sc/registry/collaboration_error/co_collab…
With this configuration the microservice will examine the attributes
asserted by a campus/organization IdP and look in the following order
for a value to use as the primary identifier:
1) eduPersonUniqueId
2) eduPersonPrincipalName and SAML2 persistent NameID, in case the IdP
is signaling it reassigns eduPersonPrincipalName
3) eduPersonPrincipalName and eduPersonTargetedId, in case the IdP is
signaling it reassigns eduPersonPrincipalName
4) eduPersonPrincipalName
5) SAML2 persistent NameID
6) eduPersonTargetedId
The special identifier 'issuer' signals that any value found is to be
"scoped" with the entityID of the IdP.
When it finds the first value it can use from that search order it then
asserts that value as 'uid' to the SP.
If no value is found after the configured search order then since
'on_error' is set it will redirect the browser to an "error" service to
handle that error.
Right now we are planning on using a custom COmanage Registry plugin to
"catch" the error and display instructions to the user.
I am wondering if any other project might have use for the microservice?
Any other thoughts?
Thanks,
Scott K
Hi all,
How appropriate that we are back in Austria, which is where we last had serious conversations about Satosa governance! Because we had a few actions out of that earlier meeting that we need to follow up on.
Governance questions for Satosa:
* IPR needs to be sorted out (who will hold it?)
* CLAs need to be in place
* Re-license if required
Since many of the folks from the last meeting are here, how about finding a few minutes to meet on the above? Prioritization to the IPR question (since it is top of the list, and the other things fall from it).
What time(s) do people have available tomorrow (Wednesday)?
-Heather
Sent from my iPad
Sent from my iPad
I need to build a SAML2SAML proxy and would like to adopt SaToSa for this project, which happens to be the Austrian K12 federation. With most IDPs a NREN-like mesh federation would be a straightforward solution, but there are a few requirements that need a proxy:
(1) The IDP for federal employees needs to see all K12 applications appear as a single SP. (The use case is commercial, because the IDP is charging per application and per user.)
(2) For some IDPs: Create/update an LDAP user object for a subset of attributes
(3) Add a profile completion flow for first-time users to confirm/modify email addresses
(4) Allow embedded discovery (SHOULD)
(5) Staying compatible with the SaToSa upstream project.
The attached picture shows the options with 1:1 and 1:n mapping of IDPs. Are both approaches supported by SaToSa? Is it possible to add an interactive flow to the proxy to update profile data?
- Rainer
Works for me too.
/hans
> 30 maj 2017 kl. 13:39 skrev satosa-dev-request at lists.sunet.se:
>
> Send Satosa-dev mailing list submissions to
> satosa-dev at lists.sunet.se
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sunet.se/listinfo/satosa-dev
> or, via email, send a message with subject or body 'help' to
> satosa-dev-request at lists.sunet.se
>
> You can reach the person managing the list at
> satosa-dev-owner at lists.sunet.se
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Satosa-dev digest..."
>
>
> Today's Topics:
>
> 1. Satosa governance meeting at TNC? (heather flanagan)
> 2. Re: Satosa governance meeting at TNC? (Ioannis Kakavas)
> 3. Re: Satosa governance meeting at TNC? (Leif Johansson)
> 4. Re: Satosa governance meeting at TNC? (heather flanagan)
> 5. Re: Satosa governance meeting at TNC? (Niels van Dijk)
> 6. Re: Satosa governance meeting at TNC? (Roland Hedberg)
> 7. Re: Satosa governance meeting at TNC? (Nick Roy)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 30 May 2017 12:00:20 +0200
> From: heather flanagan <hlflanagan at gmail.com>
> To: satosa-dev at lists.sunet.se
> Subject: [Satosa-dev] Satosa governance meeting at TNC?
> Message-ID: <8F7CD832-1FD8-4E19-A883-323298C2D789 at gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
> Hi all,
>
> How appropriate that we are back in Austria, which is where we last had serious conversations about Satosa governance! Because we had a few actions out of that earlier meeting that we need to follow up on.
>
> Governance questions for Satosa:
> * IPR needs to be sorted out (who will hold it?)
> * CLAs need to be in place
> * Re-license if required
>
> Since many of the folks from the last meeting are here, how about finding a few minutes to meet on the above? Prioritization to the IPR question (since it is top of the list, and the other things fall from it).
>
> What time(s) do people have available tomorrow (Wednesday)?
>
> -Heather
> Sent from my iPad
>
>
> Sent from my iPad
>
> ------------------------------
>
> Message: 2
> Date: Tue, 30 May 2017 12:07:14 +0200
> From: Ioannis Kakavas <ikakavas at noc.grnet.gr>
> To: heather flanagan <hlflanagan at gmail.com>
> Cc: satosa-dev at lists.sunet.se
> Subject: Re: [Satosa-dev] Satosa governance meeting at TNC?
> Message-ID: <7de486aa-6f82-442f-91da-450a3b6de324 at noc.grnet.gr>
> Content-Type: text/plain; charset=UTF-8
>
> Hi Heather,
>
> Great idea. I would prefer sometime in the 9.00-10.30 session but I don't really mind if any other time is more appropriate.
>
> Ioannis
>
>
> -------- Original Message --------
> From: heather flanagan <hlflanagan at gmail.com>
> Sent: Tue May 30 12:00:20 GMT+02:00 2017
> To: satosa-dev at lists.sunet.se
> Subject: [Satosa-dev] Satosa governance meeting at TNC?
>
> Hi all,
>
> How appropriate that we are back in Austria, which is where we last had serious conversations about Satosa governance! Because we had a few actions out of that earlier meeting that we need to follow up on.
>
> Governance questions for Satosa:
> * IPR needs to be sorted out (who will hold it?)
> * CLAs need to be in place
> * Re-license if required
>
> Since many of the folks from the last meeting are here, how about finding a few minutes to meet on the above? Prioritization to the IPR question (since it is top of the list, and the other things fall from it).
>
> What time(s) do people have available tomorrow (Wednesday)?
>
> -Heather
> Sent from my iPad
>
>
> Sent from my iPad
> _______________________________________________
> Satosa-dev mailing list
> Satosa-dev at lists.sunet.se
> https://lists.sunet.se/listinfo/satosa-dev
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 30 May 2017 12:12:39 +0200
> From: Leif Johansson <leifj at sunet.se>
> To: satosa-dev at lists.sunet.se
> Subject: Re: [Satosa-dev] Satosa governance meeting at TNC?
> Message-ID: <9b5d535d-2451-a761-bdd6-29e8fc75a918 at sunet.se>
> Content-Type: text/plain; charset=utf-8
>
> On 2017-05-30 12:07, Ioannis Kakavas wrote:
>> Hi Heather,
>>
>> Great idea. I would prefer sometime in the 9.00-10.30 session but I don't really mind if any other time is more appropriate.
>>
>> Ioannis
>
> wfm
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 30 May 2017 12:17:07 +0200
> From: heather flanagan <hlflanagan at gmail.com>
> To: Ioannis Kakavas <ikakavas at noc.grnet.gr>
> Cc: satosa-dev at lists.sunet.se
> Subject: Re: [Satosa-dev] Satosa governance meeting at TNC?
> Message-ID: <2678B8F9-B7C2-4512-9E2D-FA6C3630D8A5 at gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
> Hi Ioannis,
>
> I'd actually like to go to that session, and oddly enough the entire rest of the day is free for me. Do you all tend to go to Plenary?
>
> Sent from my iPad
>
>> On May 30, 2017, at 12:07, Ioannis Kakavas <ikakavas at noc.grnet.gr> wrote:
>>
>> Hi Heather,
>>
>> Great idea. I would prefer sometime in the 9.00-10.30 session but I don't really mind if any other time is more appropriate.
>>
>> Ioannis
>>
>>
>> -------- Original Message --------
>> From: heather flanagan <hlflanagan at gmail.com>
>> Sent: Tue May 30 12:00:20 GMT+02:00 2017
>> To: satosa-dev at lists.sunet.se
>> Subject: [Satosa-dev] Satosa governance meeting at TNC?
>>
>> Hi all,
>>
>> How appropriate that we are back in Austria, which is where we last had serious conversations about Satosa governance! Because we had a few actions out of that earlier meeting that we need to follow up on.
>>
>> Governance questions for Satosa:
>> * IPR needs to be sorted out (who will hold it?)
>> * CLAs need to be in place
>> * Re-license if required
>>
>> Since many of the folks from the last meeting are here, how about finding a few minutes to meet on the above? Prioritization to the IPR question (since it is top of the list, and the other things fall from it).
>>
>> What time(s) do people have available tomorrow (Wednesday)?
>>
>> -Heather
>> Sent from my iPad
>>
>>
>> Sent from my iPad
>> _______________________________________________
>> Satosa-dev mailing list
>> Satosa-dev at lists.sunet.se
>> https://lists.sunet.se/listinfo/satosa-dev
>>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 30 May 2017 12:52:49 +0200
> From: Niels van Dijk <niels.vandijk at surfnet.nl>
> To: <satosa-dev at lists.sunet.se>
> Subject: Re: [Satosa-dev] Satosa governance meeting at TNC?
> Message-ID: <42be73b1-ac90-8b32-476c-51f1672d3ce7 at surfnet.nl>
> Content-Type: text/plain; charset="utf-8"
>
> May I propose we meet during the wednesday plenary, which seems to be
> all about networking..
>
>
> On 30-05-17 12:17, heather flanagan wrote:
>> Hi Ioannis,
>>
>> I'd actually like to go to that session, and oddly enough the entire rest of the day is free for me. Do you all tend to go to Plenary?
>>
>> Sent from my iPad
>>
>>> On May 30, 2017, at 12:07, Ioannis Kakavas <ikakavas at noc.grnet.gr> wrote:
>>>
>>> Hi Heather,
>>>
>>> Great idea. I would prefer sometime in the 9.00-10.30 session but I don't really mind if any other time is more appropriate.
>>>
>>> Ioannis
>>>
>>>
>>> -------- Original Message --------
>>> From: heather flanagan <hlflanagan at gmail.com>
>>> Sent: Tue May 30 12:00:20 GMT+02:00 2017
>>> To: satosa-dev at lists.sunet.se
>>> Subject: [Satosa-dev] Satosa governance meeting at TNC?
>>>
>>> Hi all,
>>>
>>> How appropriate that we are back in Austria, which is where we last had serious conversations about Satosa governance! Because we had a few actions out of that earlier meeting that we need to follow up on.
>>>
>>> Governance questions for Satosa:
>>> * IPR needs to be sorted out (who will hold it?)
>>> * CLAs need to be in place
>>> * Re-license if required
>>>
>>> Since many of the folks from the last meeting are here, how about finding a few minutes to meet on the above? Prioritization to the IPR question (since it is top of the list, and the other things fall from it).
>>>
>>> What time(s) do people have available tomorrow (Wednesday)?
>>>
>>> -Heather
>>> Sent from my iPad
>>>
>>>
>>> Sent from my iPad
>>> _______________________________________________
>>> Satosa-dev mailing list
>>> Satosa-dev at lists.sunet.se
>>> https://lists.sunet.se/listinfo/satosa-dev
>>>
>> _______________________________________________
>> Satosa-dev mailing list
>> Satosa-dev at lists.sunet.se
>> https://lists.sunet.se/listinfo/satosa-dev
>
> --
> Niels van Dijk Technical Product Manager Trust & Security
> Mob: +31 651347657 | Skype: cdr-80 | PGP Key ID: 0xDE7BB2F5
> SURFnet BV | PO.Box 19035 | NL-3501 DA Utrecht | The Netherlands
> www.surfnet.nlwww.openconext.org
>
>
>
https://github.com/SUNET/SATOSA/pull/89
Sorry about the cryptic name...
This is a PR for attribute-based authorization, eg so you can say "must
have employee at .+ to access this service" etc.
I will push example config to the PR tomorrow...
Cheers Leif
Hi,
It appears that SATOSA and pysaml2 only support SHA1 signing, ie.
<ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
Is that correct?
Thanks,
Scott K
Hi all,
There will be a SaToSa bar BoF on Wednesday, April 26, starting around
4:30pm at the I2GS conference hotel (though if that bar is too small, we
may move). If you are going to be at I2GS and want to talk about SaToSa,
come join us!
-Heather
Hello,
We are using SATOSA primarily as a SAML-to-SAML proxy. One of the IdPs
that federated with the proxy requires signed authn requests. I do not
see that the current verion of SATOSA allows one to configure that
authn requests sent to a particular IdP are signed. Please let me know
if I am incorrect.
The underlying pysaml2 library, of course, does support sending a signed
authn request. It also supports the option "authn_requests_signed":
"Indicates if the Authentication Requests sent by this SP should be
signed by default. This can be overriden by application code for a
specific call."
I suspect SATOSA would pass through the authn_requests_signed option to
pysaml2 already, but I am more interested in being able to control
signing on a per-IdP basis, rather than making it the default for all
IdPs.
Patching SATOSA so that one could configure signing for particular IdPs
looks straightforward. I suspect the largest issue would be the
configuration (yaml) syntax.
My proposal is that saml2_backend.yaml look like this for such a scenario
(leaving out the other options and boilerplate):
module:
satosa.backends.saml2.SAMLBackend
name:
Saml2
config:
sp_config:
service:
sp:
relying_parties:
https://some.idp/entityid:
authn_requests_signed: True
https://another.idp/entityid:
authn_requests_signed: True
This format would be easy to extend over time to enable per-relying party
overrides for the options that pysaml2 allows to be configured per flow.
Thoughts?
Thanks,
Scott K
Hello,
Does SATOSA currently have a URL endpoint that is "satisfactory" and
"clean" for a service health check when running the service behind a
load balancer like Amazon ELB?
I am thinking of something like
https://proxy.my.org/status
If it does not exist already, I propose such an endpoint be added.
Initially all it needs to do is reply with '200 OK' to indicate that the
service is alive. Eventually as time and needs permits it could be
evolved to do something more sophisticated.
Thoughts?
I will open a GitHub issue if nobody objects or tells me that this
functionality already exists.
Thanks,
Scott K
