Hi,
we are using SATOSA to allow EduGAIN users to access our services. The service is protected by KeyCloak and in KeyCloak we configured SATOSA as a SAML Identity Provider.
Users from the EduGAIN access-check IdP can now access the service, but it looks like we have problems with some IdP's which don't have a signing key in the EduGAIN metadata.
When looking in file '/opt/satosa/lib/python3.5/site-packages/saml2/sigver.py' there is a flag 'only_use_keys_in_metadata' which looks to be set to True, which means that only signing keys from the metadata files are allowed. When I hardcode this flag to be set to False, also users from IdP's without a signing key can authenticate, but I can't seem to find where I can configure this in the SATOSA saml2_backend.yaml file. Is it possible to configure this flag in SATOSA?
Thanks,
Dirk
Indien u VITO Mol bezoekt, hou aub er dan rekening mee dat de hoofdingang voortaan enkel bereikbaar is vanuit de richting Dessel-Retie, niet vanuit richting Mol, zie vito.be/route.<http://www.vito.be/route>
If you plan to visit VITO at Mol, then please note that the main entrance can only be reached coming from Dessel-Retie and no longer coming from Mol, see vito.be/en/contact/locations.<http://www.vito.be/en/contact/locations>
VITO Disclaimer: http://www.vito.be/e-maildisclaimer
Hi all,
Our SP application connects to an identity federation via Satosa. We have
two authentication flows, one which starts the authentication process using
SAML and one which starts the authentication flow using OIDC. The entire
process works well when using OIDC only, however, a requirement is that we
can start the same process via SAML.
After authentication (via SAML) is completed, the SP application tries to
- Request a code
- Request an OIDC access token using the code
- Check the access token using the userinfo endpoint
The issue that we are facing in the flow which starts the authentication by
SAML, is that the user is presented with the WAYF page twice. The first
time during the SAML flow, and the second time when requesting an OIDC
code. I assumed that because the user had just authenticated themselves,
Satosa would be able to return a code without asking the user to
authenticate again.
My questions are:
- Have I made a mistake in assuming this is a logical process to use for
authentication and authorisation? Is using SAML and OIDC in a mixed way a
bad idea?
- Is it possible to receive a OIDC code or access token as a result of a
SAML authentication flow?
- If not, is it possible to receive a code or access token without asking
the user to authenticate once again? I would imagine setting Satosa to
'remember IdP' would forgo the second round of authentication when using
SAML. Are there other options of achieving this?
Thank you in advance.
Kind regards,
Jonathan Blok
--
Kind regards,
*Jonathan Blok*
Technical Project Officer / Software Developer
*T* +31 35 - 677 16 79 | *M* +31 6 - 4 669 14 58
*Availability:* Mon, Tue, Wed, Fri
<http://www.beeldengeluid.nl/>
*Netherlands Institute for Sound and Vision | Nederlands Instituut voor
Beeld en Geluid*
*Media Parkboulevard 1, 1217 WE Hilversum | Postbus 1060, 1200 BB
Hilversum | *
*beeldengeluid.nl* <http://www.beeldengeluid.nl/>
<http://files.beeldengeluid.nl/handtekening/index.html>
I will have some SPs behind the proxy that need to use the refeds MFA profile via InCommon along with other SPs behind the same proxy that only require simple one-step password authentication. I’ve looked through the list archives and don’t see a solution to the problem I’m having.
I can verify by watching the browser saml flow that the SP is correctly requesting refeds mfa in RequestedAuthnContext. However, this request does not appear to be passed on to the selected IdP and the MFA authentication attribute is not set upon return.
There appears to be configuration available (acr_mapping) to specify what AuthnContextClassRef value satosa returns to the SP based on the selected IdP but that is not what we need for this application.
My question: is satosa supposed to pass the SP’s requested AuthnContext to the end user’s IdP and pass back the IdP’s response?
I’ll dig some more but am hoping that someone already knows how/if this should work in satosa.
Thanks much, Jim
Hi Satosa users,
I’m trying to add the Swiss eduPerson attributes [1] to the Satosa attribute maps [2] but running into problems when trying to use them. I’m running Satosa with Docker and have pulled the swiss attributes into .py files in the attributemaps folder, added them to my internal_attribute.yaml schema, restarted my container… however they don’t seem to be recognised.
==========================
The attribute coming from my IdP
==========================
<ns0:Attribute FriendlyName="swissEduPersonHomeOrganization" Name="urn:oid:2.16.756.1.2.5.1.1.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns0:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">cern.ch</ns0:AttributeValue></ns0:Attribute>
====================================================
The config in internal_attribute.yaml (I just want to pass the attribute straight through to my Eps)
====================================================
swissedupersonhomeorganization:
saml: [swissEduPersonHomeOrganization]
==========================
Debug messages
==========================
"Unknown attribute name: <ns0:Attribute xmlns:ns0="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" FriendlyName="swissEduPersonHomeOrganization" Name="urn:oid:2.16.756.1.2.5.1.1.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns0:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">cern.ch</ns0:AttributeValue></ns0:Attribute>”
...
"skipped backend attribute '['swissEduPersonHomeOrganization']': no value found”
The OID appears to be correct (SWISSEDUPERSON_OID = 'urn:oid:2.16.756.1.2.5.1.1.’, SWISSEDUPERSON_OID+’4' =‘swissEduPersonHomeOrganization’). Am I missing something? Some missing config or some cache somewhere?
Thanks in advance for any advice,
Hannah
[1] https://www.switch.ch/aai/docs/AAI_Attr_Specs.pdf
[2] https://github.com/IdentityPython/SATOSA/pull/270
Hi to everybody,
I'm doing fine with pyMultiLDAP as MS [3].
I can test multiple LDAP connections with received, aggregated and
rewritten data directly with pymultildap from command line, before move
configuration to deployed systems.
The same settings[1] used command line would be used in MS configuration,
as is.
I'm using multildap in satosa, in my pysaml2 Idp[2] and also as general
purpose LDAP proxy for SEARCH and BIND methods, with the help of slapd-sock.
At this moment I do not need too much parameters per SP in the MS
configuration but probably in the future I will. I preferred to delegate
data behaviour directly in multildap.settings instead of MS configuration.
I share as it come,
regards
[1]
https://github.com/peppelinux/pyMultiLDAP/blob/master/examples/settings.py.…
<https://github.com/peppelinux/pyMultiLDAP/blob/master/examples/settings.py.…>
[2] https://uniauth.readthedocs.io/en/latest/index.html
[3]
https://github.com/peppelinux/pyMultiLDAP/tree/fe602e39240d6a3240f09c852cb6…
--
____________________
Dott. Giuseppe De Marco
CENTRO ICT DI ATENEO
University of Calabria
87036 Rende (CS) - Italy
Phone: +39 0984 496961
e-mail: giuseppe.demarco at unical.it
Hi.
I believe I have resolved my issues and have a functioning SATOSA instance in my pre-prod environment.
I hit 5 main items (so far) and hope that capturing can help others have an easier story.
I’m interested in helping improve docs and need guidance as to where and how – github wiki? Fork repo then do a pull request?
Reflections on using SATOSA in pre-prod use marching toward full production use so far:
* Starting from zero to this stage was non-small but any other proxy story would have been more effort IMO.
* These items were costly in time to come by and hope that it helps shorten implementations to capture them.
* If I had them, SATOSA is a slam dunk on fastest and ‘thinnest’ deployment.
Kudos to the work put into SATOSA and for future work on the horizon.
Thoughts and questions welcome as always .. my notes and details on how I resolved things are below.
C
Main challenges and steps taken to have SATOSA operating as expected for attribute passing and assertion handling
=======================================================
1. Sp.xml proved impactful on parsing if it had too much in it thus rendering the filter attributes empty
===========
I had ACS entries for required/requested attributes which seem to have bumped my internal_attributes filter sufficiently to zero (empirical observation)
My resolution: remove those elements as well as the MD contact info from the sp.xml metadata appeared to have resolved this first step
Suggestion: more clarity on this element would help.
1. YAML syntax on how to ingest an aggregate in the ‘backend’ was tough to decipher and documentation is thin or maybe aged out.
===========
My resulting format working for my docker image: satosa/satosa:latest for the backend.yaml is:
<snip>
metadata:
remote:
- {url: "https://url.to/fed.xml", cert: "/opt/satosa/etc/pki/testfed.crt"}
<snip>
This does not align with documentation that I’ve encountered for SATOSA.
Suggestion: configuration for multi-lateral federation would benefit to be an example. As would version sensitivity of it and more examples to show what would be sufficient to run
1. Internal_attributes.yaml mapping transformed email to mail thus downstream was ‘no email, no access!’
===========
The mapping of email to mail OIDs – YIKES! Who knew that PKCS_9 +1 vs UCL_DIR_PILOT+3 were different? I hated myself on this one
* The hurt was in internal_attributes.yaml had
* Mail:
* Saml: [email, emailAddress, mail]
* As such it translated the Shib assertion from ‘mail’ to ‘email’ OID
Action taken to resolve: set saml: [mail] for the mail element
Suggestion: there’s a lot to talk about here on mapping – this is a place for some good practices and what’s there looks good for just working but the transposition was subtle to detect. Hard to say how to make it easier without more thought.
1. Run SATOSA behind apache to trap errors better was tough to find and used a slightly different way than the WSGI interface
===========
The reference to error handling is a bit oblique as there’s more than one way to do it and the WSGI apache proxy was not immediately there for me
Here’s the snippet from the apache2 config that allows me to handle the 404’ing of access for a more graceful error page handling:
#
# proxy SATOSA so we can handle 404's better
# don’t forget to a2en proxy; a2en proxy_http in apache2
# ProxyErrorOverride is **CRITICAL** to trap the 404 passed up by gunicorn.
Proxypass /Saml2 http://127.0.0.1:8000/Saml2
ProxyPassReverse /Saml2 http://127.0.0.1:8000/Saml2
ProxyErrorOverride On
ErrorDocument 404 /errors/404.html
Suggestion: This is a strong need for error handling. Templating it for the enhancement listed in the issue tracker not so much as just give me some plain html locations to use or mount in the container rather than punting to a proxy above resulting in a proxy of a proxy.
1. To handle ADFS assertions inbound to SATOSA properly needed the backend.yaml/federation facing settings to want_response_signed=False and not ‘true’
===========
Testing various IdPs like Shibboleth and ADFS revealed that to use ADFS out of the box with a SAML trust to SATOSA I needed want_response_signed=False.
* This deploys as ‘true’ for SATOSA recommended (and is a good posture to be fair!) but ADFS won’t play fair with it that I could tell.
* This was only uncovered while reading ‘Signature error: Signature missing for respose’ in google and found this:
* https://github.com/IdentityPython/pysaml2/issues/490
Suggestion: Again, this is a practitioner configuration. Thankfully the setting is there, now it needs more revelation in documentation and how to use things and consequences of the action like this.
From: Chris Phillips <Chris.Phillips at canarie.ca>
Date: Friday, July 19, 2019 at 8:50 AM
To: "satosa-users at lists.sunet.se" <satosa-users at lists.sunet.se>
Subject: Guidance sought on allowing attributes to pass through with statosa/statosa:latest
Hi.
I’m trying to work through a SATOSA story of SP with only one IdP configured to be proxied to use a federation aggregates’ metadata. Sign on is working and always get Filter: [] and returning attributes {} when I expect attributes to be sent by SATOSA.
I’m using the docker image Latest and have also tried v4.4.0 with same result. I don’t think I’m too fancy and am using SATOSA ‘out of the box’ and am looking for guidance/insight/suggestions on what may be wrong, missing, or off by a few columns in YAML 😊
I have had success in the past at TIIME in Feb2019 with Matt E. but that was non-docker and a v3.4.8 install: https://lists.sunet.se/pipermail/satosa-users/2019-February/000067.html
I have seen/explored the microservices/ filter_attributes.yaml.example but that is more along suppression rather than permit passage. Must I whitelist everything?
Thanks for any insight/guidance on this. I have a gist with front/backends here: https://gist.github.com/canariecaf/2216d3de5e5872ecaa08cf03548ec559
Happy to jump on Slack and chat there too – is there a slack area for satosa/idpy BTW or the edugain.slack.com location have idpy like venues for chats like this?
C
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Routing path: Saml2/acs/post
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Found registered endpoint: module name:'Saml2', endpoint: Saml2/acs/post
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: backend attribute '['email', 'emailAdress', 'mail']' mapped to mail
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: skipped backend attribute '['postaladdress']': no value found
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: skipped backend attribute '['sn', 'surname']': no value found
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: backend attribute '['displayName']' mapped to displayname
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: skipped backend attribute '['givenName']': no value found
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: backend attribute '['eduPersonTargetedID']' mapped to edupersontargetedid
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: skipped backend attribute '['cn']': no value found
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] backend received attributes:
satosa_1 | {
satosa_1 | "eduPersonPrincipalName": [
satosa_1 | "something at canarie.ca"
satosa_1 | ],
satosa_1 | "mail": [
satosa_1 | "Chris.Phillips at canarie.ca"
satosa_1 | ],
satosa_1 | "eduPersonScopedAffiliation": [
satosa_1 | "staff at canarie.ca"
satosa_1 | ],
satosa_1 | "eduPersonAffiliation": [
satosa_1 | "staff"
satosa_1 | ],
satosa_1 | "eduPersonTargetedID": [
satosa_1 | "SUPPRESED="
satosa_1 | ],
satosa_1 | "displayName": [
satosa_1 | "Chris Phillips"
satosa_1 | ]
satosa_1 | }
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Routing to frontend: Saml2IDP
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Filter: []
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] returning attributes {}
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] signing with algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] using digest algorithm http://www.w3.org/2001/04/xmlenc#sha256
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Saving state as cookie, secure: True, max-age: 1200, path: /
Hello satosa users,
O'Reilly Media is working to build out a proper multilateral federation SP
for our platform. We have deployed Shibboleth SP3 for development but are
finding that integrating our existing systems with Shib to be inefficient
and rather kludgy. SATOSA looks like a great fit for our python-based
AuthN/Z OIDC backend but I have only identified a handful of deployments
(E.G. GÉANT and possibly CERN).
We would use it as a SAML backend and OIDC frontend with InCommon's MDQ
feed and, initially, their discovery service as well.
For those who have deployed SATOSA in production, what has your experience
been in terms of reliability and maintainability, either generally or as
compared to Shib SP3? Also, can you share roughly how much ongoing IT and
development time has been needed to maintain a high level of uptime?
I welcome additional feedback and suggestions as well.
Thank you!
-jesse
--
Jesse Banning
Manager of Platform Integration
O'Reilly Media, Inc. <https://oreilly.com> (Boston Office
<https://www.google.com/maps/place/O'Reilly>)
(617)499-7575 | jbanning at oreilly.com
Calendar: https://beta.doodle.com/jbanning
Hi.
I’m trying to work through a SATOSA story of SP with only one IdP configured to be proxied to use a federation aggregates’ metadata. Sign on is working and always get Filter: [] and returning attributes {} when I expect attributes to be sent by SATOSA.
I’m using the docker image Latest and have also tried v4.4.0 with same result. I don’t think I’m too fancy and am using SATOSA ‘out of the box’ and am looking for guidance/insight/suggestions on what may be wrong, missing, or off by a few columns in YAML 😊
I have had success in the past at TIIME in Feb2019 with Matt E. but that was non-docker and a v3.4.8 install: https://lists.sunet.se/pipermail/satosa-users/2019-February/000067.html
I have seen/explored the microservices/ filter_attributes.yaml.example but that is more along suppression rather than permit passage. Must I whitelist everything?
Thanks for any insight/guidance on this. I have a gist with front/backends here: https://gist.github.com/canariecaf/2216d3de5e5872ecaa08cf03548ec559
Happy to jump on Slack and chat there too – is there a slack area for satosa/idpy BTW or the edugain.slack.com location have idpy like venues for chats like this?
C
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Routing path: Saml2/acs/post
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Found registered endpoint: module name:'Saml2', endpoint: Saml2/acs/post
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: backend attribute '['email', 'emailAdress', 'mail']' mapped to mail
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: skipped backend attribute '['postaladdress']': no value found
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: skipped backend attribute '['sn', 'surname']': no value found
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: backend attribute '['displayName']' mapped to displayname
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: skipped backend attribute '['givenName']': no value found
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: backend attribute '['eduPersonTargetedID']' mapped to edupersontargetedid
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: skipped backend attribute '['cn']': no value found
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] backend received attributes:
satosa_1 | {
satosa_1 | "eduPersonPrincipalName": [
satosa_1 | "something at canarie.ca"
satosa_1 | ],
satosa_1 | "mail": [
satosa_1 | "Chris.Phillips at canarie.ca"
satosa_1 | ],
satosa_1 | "eduPersonScopedAffiliation": [
satosa_1 | "staff at canarie.ca"
satosa_1 | ],
satosa_1 | "eduPersonAffiliation": [
satosa_1 | "staff"
satosa_1 | ],
satosa_1 | "eduPersonTargetedID": [
satosa_1 | "SUPPRESED="
satosa_1 | ],
satosa_1 | "displayName": [
satosa_1 | "Chris Phillips"
satosa_1 | ]
satosa_1 | }
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Routing to frontend: Saml2IDP
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Filter: []
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] returning attributes {}
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] signing with algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] using digest algorithm http://www.w3.org/2001/04/xmlenc#sha256
satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Saving state as cookie, secure: True, max-age: 1200, path: /
Is there an option to limit a microservice to either frontend or backend?
If not, I would propose to extend MicroService with 2 bool args, like:
def __init__(self, name, base_url, backend=True, frontend=True, **kwargs):
Thanks, Rainer
Dear Satosa Users,
I'm trying to create a ResponseMicroService which generates a subject identifier of pairwise-id [1] from the eduPersonTargetedID provided by the Home Organization's IdP.
To avoid collisions, I want the input to the generator for the pairwise-id to contain entityID + '!' + eduPersonTargetedID, but the Response Context doesn't appear to contain the entityID of the originating IdP. Evidently I don't understand the model which SATOSA uses to pass information from backend to frontend...
- Is there a way to access the proxied IdP's entityID from a ResponseMicroService?
- Would it be better to generate the attribute in a RequestMicroService?
- Do microservices act in the order that they're defined in proxy_conf.yaml? For example, can I define a microservice to generate the new attribute from an existing attribute, and then filter out the existing attribute.
Any information appreciated.
Thanks,
Alex
[1] SAML subject identifier attributes, https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-su…
—
Alex Stuart
Principal technical support specialist (UK federation)
alex.stuart at jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
