Ciao,
Probably this issues is a bug related to SaToSa, I'm asking you to confirm.
Explaination
---------------
When I select an IDP from DiscoServ (pyFF), for example:
https://satosa.testunical.it:10000/Saml2/disco?entityID=http://idpspid.test…
SaToSa tells me
[urn:uuid:919bfe04-a291-4ce3-979c-1d9317177057] Found registered endpoint:
module name:'Saml2', endpoint: Saml2/metadata
Expected Behavior
-----------------------
I've registered another Saml2 backed called spidSaml2, in its metadata I
can read:
<ns2:DiscoveryResponse
Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Location="https://satosa.testunical.it:10000/spidSaml2/disco"
index="1"/>
I'd expect to have a request pointing to spidSaml2/disco and not
Saml2/disco, but this is not true so I developed the
"DecideBackendByTarget" microservice.
Can you please tell me which of the following assertions is true?
a) Is this a bug and the microservice I developed is just a temporary
workaroud
OR
b) all the request coming from Disco (context.path = $backendname/disco)
will have always the Saml2 backed as default
If b) the microservice coul be usefull, probably with a additional code
refactor, if a) can you confirm this please?
Thank you
Il giorno dom 14 apr 2019 alle ore 22:55 Giuseppe De Marco <
giuseppe.demarco at unical.it> ha scritto:
Hi to everybody,
I developed a microservice that can map specific SaToSa backends to
specific target entity id. A configuration example can be this:
````
module: satosa.micro_services.custom_routing.DecideBackendByTarget
name: TargetRouter
config:
target_mapping:
"http://idpspid.testunical.it:8088": "spidSaml2"
"http://strangeIDP.testunical.it:8081/saml2/metadata":
"strangeSaml2"
````
I needed a backend routing based on the target entity ID because I have
some SAML2 IDP that only accepts highly customized authn request and
metadata. An example would be SPID italian federation, through which my
organization will federate soon with SaToSa. Another example could be the
need to use different configurations, like enc and digest algorithms,
depending by target IDP.
I was looking into DecideBackendByRequester microservice but soon I
realized that it was made for different goals, in it the subjects are the
requester entity ID and not the target entity ID.
As you can see in
https://github.com/IdentityPython/SATOSA/pull/220
I made a single branch to pull only this feature.
I'm also curious about SaToSa milestone, which are the features in
development status, which will compose the next release and another
question about the possibility to have a dev branch to do PR on it.
I don't know if this microservice could sound useless to you, I searched a
lot before programming it and I hope to have done a middleware that could
be usefull for the SaToSa community.
Hope to hear your comments soon
--
____________________
Dott. Giuseppe De Marco
CENTRO ICT DI ATENEO
University of Calabria
87036 Rende (CS) - Italy
Phone: +39 0984 496945
e-mail: giuseppe.demarco at unical.it