- satosa-users - lists3.sunet.se

by ferdy.mul＠ncr.nstda.or.th

Resend. From: Ferdy Mulyadi <ferdy.mul at ncr.nstda.or.th> Sent: Selasa, 04 Februari 2020 10.15 To: 'satosa-users at lists.sunet.se' <satosa-users at lists.sunet.se> Subject: SATOSA Single Logout Service Hi SATOSA users, Currently, we are working on SSO project which is Zoom SSO service. We use SATOSA proxy in order to connect with our identity federation (one-to-many type), and we have already implemented single sign-on (SSO) service and it's working, however we still require single logout service (SLO). We couldn't find any SATOSA configuration regarding to SLO from SATOSA documentation. Without SLO, although user has already selected and clicked log out from Zoom, the session still there, otherwise user requires to clear the browser cache. Could you explain to us, how to implement SLO in SATOSA? Thank you. ---------------- Best regards, Mr. Ferdy Mulyadi Research Assistant Internet Innovation Research Team (INO - CNWRG) National Electronics and Computer Technology Center (NECTEC) National Science and Technology Department Agency (NSTDA) Thailand Science Park (TSP) - 112 Phaholyothin Rd., Khlong Nueng, Khlong Luang Pathum Thani, THAILAND ________________________________ Disclaimer: This e-mail and any files transmitted with it may contain confidential and proprietary information of the National Science and Technology Development Agency (NSTDA), Thailand. They are intended solely for the use of the addressed individuals or entities. If you are not the intended recipient, you are required to immediately delete this e-mail and its contents from your system. Any disclosure, distribution, or action based upon the contents of this e-mail is strictly prohibited. Any views or opinions presented in this e-mail are solely those of the sender and do not necessarily represent those of NSTDA. NSTDA does not accept any responsibility for the content of this message or the consequences of any actions taken on the basis of the information provided. NSTDA accepts no liability for any damage caused by any virus or malware which may be inserted in this e-mail during transmission.

6 years, 3 months

2
1
0 0

SATOSA only_use_keys_in_metadata flag

by dirk.daems＠vito.be

Hi, we are using SATOSA to allow EduGAIN users to access our services. The service is protected by KeyCloak and in KeyCloak we configured SATOSA as a SAML Identity Provider. Users from the EduGAIN access-check IdP can now access the service, but it looks like we have problems with some IdP's which don't have a signing key in the EduGAIN metadata. When looking in file '/opt/satosa/lib/python3.5/site-packages/saml2/sigver.py' there is a flag 'only_use_keys_in_metadata' which looks to be set to True, which means that only signing keys from the metadata files are allowed. When I hardcode this flag to be set to False, also users from IdP's without a signing key can authenticate, but I can't seem to find where I can configure this in the SATOSA saml2_backend.yaml file. Is it possible to configure this flag in SATOSA? Thanks, Dirk Indien u VITO Mol bezoekt, hou aub er dan rekening mee dat de hoofdingang voortaan enkel bereikbaar is vanuit de richting Dessel-Retie, niet vanuit richting Mol, zie vito.be/route.<http://www.vito.be/route> If you plan to visit VITO at Mol, then please note that the main entrance can only be reached coming from Dessel-Retie and no longer coming from Mol, see vito.be/en/contact/locations.<http://www.vito.be/en/contact/locations> VITO Disclaimer: http://www.vito.be/e-maildisclaimer

6 years, 5 months

2
1
0 0

Question regarding double WAYF prompt

by jblok＠beeldengeluid.nl

Hi all, Our SP application connects to an identity federation via Satosa. We have two authentication flows, one which starts the authentication process using SAML and one which starts the authentication flow using OIDC. The entire process works well when using OIDC only, however, a requirement is that we can start the same process via SAML. After authentication (via SAML) is completed, the SP application tries to - Request a code - Request an OIDC access token using the code - Check the access token using the userinfo endpoint The issue that we are facing in the flow which starts the authentication by SAML, is that the user is presented with the WAYF page twice. The first time during the SAML flow, and the second time when requesting an OIDC code. I assumed that because the user had just authenticated themselves, Satosa would be able to return a code without asking the user to authenticate again. My questions are: - Have I made a mistake in assuming this is a logical process to use for authentication and authorisation? Is using SAML and OIDC in a mixed way a bad idea? - Is it possible to receive a OIDC code or access token as a result of a SAML authentication flow? - If not, is it possible to receive a code or access token without asking the user to authenticate once again? I would imagine setting Satosa to 'remember IdP' would forgo the second round of authentication when using SAML. Are there other options of achieving this? Thank you in advance. Kind regards, Jonathan Blok -- Kind regards, *Jonathan Blok* Technical Project Officer / Software Developer *T* +31 35 - 677 16 79 | *M* +31 6 - 4 669 14 58 *Availability:* Mon, Tue, Wed, Fri <http://www.beeldengeluid.nl/> *Netherlands Institute for Sound and Vision | Nederlands Instituut voor Beeld en Geluid* *Media Parkboulevard 1, 1217 WE Hilversum | Postbus 1060, 1200 BB Hilversum | * *beeldengeluid.nl* <http://www.beeldengeluid.nl/> <http://files.beeldengeluid.nl/handtekening/index.html>

6 years, 7 months

1
0
0 0

MFA and SATOSA

by jaj＠virginia.edu

I will have some SPs behind the proxy that need to use the refeds MFA profile via InCommon along with other SPs behind the same proxy that only require simple one-step password authentication. I’ve looked through the list archives and don’t see a solution to the problem I’m having. I can verify by watching the browser saml flow that the SP is correctly requesting refeds mfa in RequestedAuthnContext. However, this request does not appear to be passed on to the selected IdP and the MFA authentication attribute is not set upon return. There appears to be configuration available (acr_mapping) to specify what AuthnContextClassRef value satosa returns to the SP based on the selected IdP but that is not what we need for this application. My question: is satosa supposed to pass the SP’s requested AuthnContext to the end user’s IdP and pass back the IdP’s response? I’ll dig some more but am hoping that someone already knows how/if this should work in satosa. Thanks much, Jim

6 years, 7 months

2
3
0 0

Adding to attribute maps

by hannah.short＠cern.ch

Hi Satosa users, I’m trying to add the Swiss eduPerson attributes [1] to the Satosa attribute maps [2] but running into problems when trying to use them. I’m running Satosa with Docker and have pulled the swiss attributes into .py files in the attributemaps folder, added them to my internal_attribute.yaml schema, restarted my container… however they don’t seem to be recognised. ========================== The attribute coming from my IdP ========================== <ns0:Attribute FriendlyName="swissEduPersonHomeOrganization" Name="urn:oid:2.16.756.1.2.5.1.1.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns0:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">cern.ch</ns0:AttributeValue></ns0:Attribute> ==================================================== The config in internal_attribute.yaml (I just want to pass the attribute straight through to my Eps) ==================================================== swissedupersonhomeorganization: saml: [swissEduPersonHomeOrganization] ========================== Debug messages ========================== "Unknown attribute name: <ns0:Attribute xmlns:ns0="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" FriendlyName="swissEduPersonHomeOrganization" Name="urn:oid:2.16.756.1.2.5.1.1.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns0:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">cern.ch</ns0:AttributeValue></ns0:Attribute>” ... "skipped backend attribute '['swissEduPersonHomeOrganization']': no value found” The OID appears to be correct (SWISSEDUPERSON_OID = 'urn:oid:2.16.756.1.2.5.1.1.’, SWISSEDUPERSON_OID+’4' =‘swissEduPersonHomeOrganization’). Am I missing something? Some missing config or some cache somewhere? Thanks in advance for any advice, Hannah [1] https://www.switch.ch/aai/docs/AAI_Attr_Specs.pdf [2] https://github.com/IdentityPython/SATOSA/pull/270

6 years, 9 months

3
8
0 0

pyMultiLDAP as SATOSA microservice

by giuseppe.demarco＠unical.it

Hi to everybody, I'm doing fine with pyMultiLDAP as MS [3]. I can test multiple LDAP connections with received, aggregated and rewritten data directly with pymultildap from command line, before move configuration to deployed systems. The same settings[1] used command line would be used in MS configuration, as is. I'm using multildap in satosa, in my pysaml2 Idp[2] and also as general purpose LDAP proxy for SEARCH and BIND methods, with the help of slapd-sock. At this moment I do not need too much parameters per SP in the MS configuration but probably in the future I will. I preferred to delegate data behaviour directly in multildap.settings instead of MS configuration. I share as it come, regards [1] https://github.com/peppelinux/pyMultiLDAP/blob/master/examples/settings.py.… <https://github.com/peppelinux/pyMultiLDAP/blob/master/examples/settings.py.…> [2] https://uniauth.readthedocs.io/en/latest/index.html [3] https://github.com/peppelinux/pyMultiLDAP/tree/fe602e39240d6a3240f09c852cb6… -- ____________________ Dott. Giuseppe De Marco CENTRO ICT DI ATENEO University of Calabria 87036 Rende (CS) - Italy Phone: +39 0984 496961 e-mail: giuseppe.demarco at unical.it

6 years, 9 months

1
0
0 0

<resolved>Re: Guidance sought on allowing attributes to pass through with statosa/statosa:latest

by Chris.Phillips＠canarie.ca

Hi. I believe I have resolved my issues and have a functioning SATOSA instance in my pre-prod environment. I hit 5 main items (so far) and hope that capturing can help others have an easier story. I’m interested in helping improve docs and need guidance as to where and how – github wiki? Fork repo then do a pull request? Reflections on using SATOSA in pre-prod use marching toward full production use so far: * Starting from zero to this stage was non-small but any other proxy story would have been more effort IMO. * These items were costly in time to come by and hope that it helps shorten implementations to capture them. * If I had them, SATOSA is a slam dunk on fastest and ‘thinnest’ deployment. Kudos to the work put into SATOSA and for future work on the horizon. Thoughts and questions welcome as always .. my notes and details on how I resolved things are below. C Main challenges and steps taken to have SATOSA operating as expected for attribute passing and assertion handling ======================================================= 1. Sp.xml proved impactful on parsing if it had too much in it thus rendering the filter attributes empty =========== I had ACS entries for required/requested attributes which seem to have bumped my internal_attributes filter sufficiently to zero (empirical observation) My resolution: remove those elements as well as the MD contact info from the sp.xml metadata appeared to have resolved this first step Suggestion: more clarity on this element would help. 1. YAML syntax on how to ingest an aggregate in the ‘backend’ was tough to decipher and documentation is thin or maybe aged out. =========== My resulting format working for my docker image: satosa/satosa:latest for the backend.yaml is: <snip> metadata: remote: - {url: "https://url.to/fed.xml", cert: "/opt/satosa/etc/pki/testfed.crt"} <snip> This does not align with documentation that I’ve encountered for SATOSA. Suggestion: configuration for multi-lateral federation would benefit to be an example. As would version sensitivity of it and more examples to show what would be sufficient to run 1. Internal_attributes.yaml mapping transformed email to mail thus downstream was ‘no email, no access!’ =========== The mapping of email to mail OIDs – YIKES! Who knew that PKCS_9 +1 vs UCL_DIR_PILOT+3 were different? I hated myself on this one * The hurt was in internal_attributes.yaml had * Mail: * Saml: [email, emailAddress, mail] * As such it translated the Shib assertion from ‘mail’ to ‘email’ OID Action taken to resolve: set saml: [mail] for the mail element Suggestion: there’s a lot to talk about here on mapping – this is a place for some good practices and what’s there looks good for just working but the transposition was subtle to detect. Hard to say how to make it easier without more thought. 1. Run SATOSA behind apache to trap errors better was tough to find and used a slightly different way than the WSGI interface =========== The reference to error handling is a bit oblique as there’s more than one way to do it and the WSGI apache proxy was not immediately there for me Here’s the snippet from the apache2 config that allows me to handle the 404’ing of access for a more graceful error page handling: # # proxy SATOSA so we can handle 404's better # don’t forget to a2en proxy; a2en proxy_http in apache2 # ProxyErrorOverride is **CRITICAL** to trap the 404 passed up by gunicorn. Proxypass /Saml2 http://127.0.0.1:8000/Saml2 ProxyPassReverse /Saml2 http://127.0.0.1:8000/Saml2 ProxyErrorOverride On ErrorDocument 404 /errors/404.html Suggestion: This is a strong need for error handling. Templating it for the enhancement listed in the issue tracker not so much as just give me some plain html locations to use or mount in the container rather than punting to a proxy above resulting in a proxy of a proxy. 1. To handle ADFS assertions inbound to SATOSA properly needed the backend.yaml/federation facing settings to want_response_signed=False and not ‘true’ =========== Testing various IdPs like Shibboleth and ADFS revealed that to use ADFS out of the box with a SAML trust to SATOSA I needed want_response_signed=False. * This deploys as ‘true’ for SATOSA recommended (and is a good posture to be fair!) but ADFS won’t play fair with it that I could tell. * This was only uncovered while reading ‘Signature error: Signature missing for respose’ in google and found this: * https://github.com/IdentityPython/pysaml2/issues/490 Suggestion: Again, this is a practitioner configuration. Thankfully the setting is there, now it needs more revelation in documentation and how to use things and consequences of the action like this. From: Chris Phillips <Chris.Phillips at canarie.ca> Date: Friday, July 19, 2019 at 8:50 AM To: "satosa-users at lists.sunet.se" <satosa-users at lists.sunet.se> Subject: Guidance sought on allowing attributes to pass through with statosa/statosa:latest Hi. I’m trying to work through a SATOSA story of SP with only one IdP configured to be proxied to use a federation aggregates’ metadata. Sign on is working and always get Filter: [] and returning attributes {} when I expect attributes to be sent by SATOSA. I’m using the docker image Latest and have also tried v4.4.0 with same result. I don’t think I’m too fancy and am using SATOSA ‘out of the box’ and am looking for guidance/insight/suggestions on what may be wrong, missing, or off by a few columns in YAML 😊 I have had success in the past at TIIME in Feb2019 with Matt E. but that was non-docker and a v3.4.8 install: https://lists.sunet.se/pipermail/satosa-users/2019-February/000067.html I have seen/explored the microservices/ filter_attributes.yaml.example but that is more along suppression rather than permit passage. Must I whitelist everything? Thanks for any insight/guidance on this. I have a gist with front/backends here: https://gist.github.com/canariecaf/2216d3de5e5872ecaa08cf03548ec559 Happy to jump on Slack and chat there too – is there a slack area for satosa/idpy BTW or the edugain.slack.com location have idpy like venues for chats like this? C satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Routing path: Saml2/acs/post satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Found registered endpoint: module name:'Saml2', endpoint: Saml2/acs/post satosa_1 | [2019-07-19 02:21:07] [DEBUG]: backend attribute '['email', 'emailAdress', 'mail']' mapped to mail satosa_1 | [2019-07-19 02:21:07] [DEBUG]: skipped backend attribute '['postaladdress']': no value found satosa_1 | [2019-07-19 02:21:07] [DEBUG]: skipped backend attribute '['sn', 'surname']': no value found satosa_1 | [2019-07-19 02:21:07] [DEBUG]: backend attribute '['displayName']' mapped to displayname satosa_1 | [2019-07-19 02:21:07] [DEBUG]: skipped backend attribute '['givenName']': no value found satosa_1 | [2019-07-19 02:21:07] [DEBUG]: backend attribute '['eduPersonTargetedID']' mapped to edupersontargetedid satosa_1 | [2019-07-19 02:21:07] [DEBUG]: skipped backend attribute '['cn']': no value found satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] backend received attributes: satosa_1 | { satosa_1 | "eduPersonPrincipalName": [ satosa_1 | "something at canarie.ca" satosa_1 | ], satosa_1 | "mail": [ satosa_1 | "Chris.Phillips at canarie.ca" satosa_1 | ], satosa_1 | "eduPersonScopedAffiliation": [ satosa_1 | "staff at canarie.ca" satosa_1 | ], satosa_1 | "eduPersonAffiliation": [ satosa_1 | "staff" satosa_1 | ], satosa_1 | "eduPersonTargetedID": [ satosa_1 | "SUPPRESED=" satosa_1 | ], satosa_1 | "displayName": [ satosa_1 | "Chris Phillips" satosa_1 | ] satosa_1 | } satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Routing to frontend: Saml2IDP satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Filter: [] satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] returning attributes {} satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] signing with algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] using digest algorithm http://www.w3.org/2001/04/xmlenc#sha256 satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Saving state as cookie, secure: True, max-age: 1200, path: /

6 years, 9 months

3
2
0 0

Production deployments of Satosa?

by jbanning＠oreilly.com

Hello satosa users, O'Reilly Media is working to build out a proper multilateral federation SP for our platform. We have deployed Shibboleth SP3 for development but are finding that integrating our existing systems with Shib to be inefficient and rather kludgy. SATOSA looks like a great fit for our python-based AuthN/Z OIDC backend but I have only identified a handful of deployments (E.G. GÉANT and possibly CERN). We would use it as a SAML backend and OIDC frontend with InCommon's MDQ feed and, initially, their discovery service as well. For those who have deployed SATOSA in production, what has your experience been in terms of reliability and maintainability, either generally or as compared to Shib SP3? Also, can you share roughly how much ongoing IT and development time has been needed to maintain a high level of uptime? I welcome additional feedback and suggestions as well. Thank you! -jesse -- Jesse Banning Manager of Platform Integration O'Reilly Media, Inc. <https://oreilly.com> (Boston Office <https://www.google.com/maps/place/O'Reilly>) (617)499-7575 | jbanning at oreilly.com Calendar: https://beta.doodle.com/jbanning

6 years, 9 months

2
1
0 0

Guidance sought on allowing attributes to pass through with statosa/statosa:latest

by Chris.Phillips＠canarie.ca

Hi. I’m trying to work through a SATOSA story of SP with only one IdP configured to be proxied to use a federation aggregates’ metadata. Sign on is working and always get Filter: [] and returning attributes {} when I expect attributes to be sent by SATOSA. I’m using the docker image Latest and have also tried v4.4.0 with same result. I don’t think I’m too fancy and am using SATOSA ‘out of the box’ and am looking for guidance/insight/suggestions on what may be wrong, missing, or off by a few columns in YAML 😊 I have had success in the past at TIIME in Feb2019 with Matt E. but that was non-docker and a v3.4.8 install: https://lists.sunet.se/pipermail/satosa-users/2019-February/000067.html I have seen/explored the microservices/ filter_attributes.yaml.example but that is more along suppression rather than permit passage. Must I whitelist everything? Thanks for any insight/guidance on this. I have a gist with front/backends here: https://gist.github.com/canariecaf/2216d3de5e5872ecaa08cf03548ec559 Happy to jump on Slack and chat there too – is there a slack area for satosa/idpy BTW or the edugain.slack.com location have idpy like venues for chats like this? C satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Routing path: Saml2/acs/post satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Found registered endpoint: module name:'Saml2', endpoint: Saml2/acs/post satosa_1 | [2019-07-19 02:21:07] [DEBUG]: backend attribute '['email', 'emailAdress', 'mail']' mapped to mail satosa_1 | [2019-07-19 02:21:07] [DEBUG]: skipped backend attribute '['postaladdress']': no value found satosa_1 | [2019-07-19 02:21:07] [DEBUG]: skipped backend attribute '['sn', 'surname']': no value found satosa_1 | [2019-07-19 02:21:07] [DEBUG]: backend attribute '['displayName']' mapped to displayname satosa_1 | [2019-07-19 02:21:07] [DEBUG]: skipped backend attribute '['givenName']': no value found satosa_1 | [2019-07-19 02:21:07] [DEBUG]: backend attribute '['eduPersonTargetedID']' mapped to edupersontargetedid satosa_1 | [2019-07-19 02:21:07] [DEBUG]: skipped backend attribute '['cn']': no value found satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] backend received attributes: satosa_1 | { satosa_1 | "eduPersonPrincipalName": [ satosa_1 | "something at canarie.ca" satosa_1 | ], satosa_1 | "mail": [ satosa_1 | "Chris.Phillips at canarie.ca" satosa_1 | ], satosa_1 | "eduPersonScopedAffiliation": [ satosa_1 | "staff at canarie.ca" satosa_1 | ], satosa_1 | "eduPersonAffiliation": [ satosa_1 | "staff" satosa_1 | ], satosa_1 | "eduPersonTargetedID": [ satosa_1 | "SUPPRESED=" satosa_1 | ], satosa_1 | "displayName": [ satosa_1 | "Chris Phillips" satosa_1 | ] satosa_1 | } satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Routing to frontend: Saml2IDP satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Filter: [] satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] returning attributes {} satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] signing with algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] using digest algorithm http://www.w3.org/2001/04/xmlenc#sha256 satosa_1 | [2019-07-19 02:21:07] [DEBUG]: [urn:uuid:d7919f3e-0361-4ec5-aa1b-b5560eb6305c] Saving state as cookie, secure: True, max-age: 1200, path: /

6 years, 9 months

1
0
0 0

binding a microservice to either a frontend or backend

by rainer＠hoerbe.at

Is there an option to limit a microservice to either frontend or backend? If not, I would propose to extend MicroService with 2 bool args, like: def __init__(self, name, base_url, backend=True, frontend=True, **kwargs): Thanks, Rainer

6 years, 11 months

3
4
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

satosa-users