Hi,
I need to build a SAML2SAML proxy and would like to
adopt SaToSa for
this project, which happens to be the Austrian K12 federation. With
most IDPs a NREN-like mesh federation would be a straightforward
solution, but there are a few requirements that need a proxy:
(1) The IDP for federal employees needs to see all K12 applications
appear as a single SP. (The use case is commercial, because the IDP is
charging per application and per user.)
That should be straightforward (of course) with SATOSA.
(2) For some IDPs: Create/update an LDAP user object
for a subset of
attributes
You should find it straightforward to write a "microservice" that does
this.
There are a number of microservices already that you can look at for
guidance, but in particular the "LDAP attribute store" microservice will
already have code you can copy for connecting to an LDAP directory.
(3) Add a profile completion flow for first-time users
to
confirm/modify email addresses
The account linking and consent microservices can guide you. Note that
for both of those the flow actually leaves SATOSA and then comes back
(ie. the actual work is delegated to another service).
(4) Allow embedded discovery (SHOULD)
I am not sure what you mean by "embedded".
The SAML backend that interfaces with IdPs requires a discovery service
if there is metadata for more than one IdP. Normally you would just
configure that backend with the URL for an existing SAML discovery service.
If you really want SATOSA to "embed" the discovery service you could
write it as another frontend/backend (just inherit from the base classes
as the existing SAML frontend/backend do) with its own URL space.
(5) Staying compatible with the SaToSa upstream
project.
My experience so far is that the architecture of SATOSA makes it
straightforward to extend/customize without losing compatibility with
the upstream project.
The attached picture shows the options with 1:1 and
1:n mapping of
IDPs. Are both approaches supported by SaToSa?
I have not done it myself (I am focusing on more of a "full mesh"
architecture), but based on my understand of the SATOSA architecture I
would answer "yes", though probably not "out of the box" with just
configuration since you are attempting to do both at the same time.
I expect you will need to do some coding, but it will be
relatively straightforward.
Is it possible to add
an interactive flow to the proxy to update profile data?
Again, yes, see the account linking or consent microservices for
examples. They are "external" to SATOSA proper, but I expect that model
will work better for you in the long run.
My $0.02,
Scott K