[Satosa-dev] eIDAS integration

Ivan Kanakarakis ivan.kanak at gmail.com
Thu May 3 16:26:25 UTC 2018


On 3 May 2018 at 17:10, Niels van Dijk <niels.vandijk at surfnet.nl> wrote:
> Hi all (and specifically Ivan as he was committing stuff),
> I note a commit mentioning eIDAS integration, however what was committed
> (https://github.com/IdentityPython/SATOSA/commit/a0b7cf9eb73714cef76d6ab7249df1a52332fe11#diff-7096df3e286d488b77d9e6f1ff6622c6)
> seems a bit too little to actually engage with eIDAS. I am for example

Yes. What you need is to define that you are using an eIDAS backend.
So, a configuration would look like:

  module: satosa.backends.saml2.SAMLEIDASBackend

When you do that, some properties will be defined by default - ie
want_response_signed will be true, force_authn will be true,
allow_unsolicited will be false, etc

pysaml2 already includes eidas related bits. New options include

- hide_assertion_consumer_service:
- sp_type: https://github.com/IdentityPython/pysaml2/blob/master/doc/howto/config.rst#sp-type
- sp_type_in_metadata:
- requested_attributes:

SATOSA also uses the entityid_endpoint option (automatically set to
true when SAMLEIDASBackend is used). This makes the entityid an
accessible URL.

> not seeing any reference to eIDAS specific saml extentions. Is all of
> that covered in pySAML? I found this as well
> (https://github.com/grnet/pysaml2eidas/tree/devel) , but that does not
> seem to be used by SatoSa?

This repo is not used - it should be removed.

> What would I need to pull together to setup a satosa based eIDAS gateway?

set the module to be SAMLEIDASBackend
make the entityid an https url
configure internal_attributes.yaml to convert eIDAS NaturalPerson or
LegalPerson attributes to SAML/OIDC/etc
and you should be set.

At GRNET we have a working installation with the eIDAS demo
implementation provided by EU (Java based). That implementation
requires some more things to work out of the box - ie a 'country'
property with some value is needed (the demo EU SP node provides a
countrly selector view) and it seems that only the POST binding is

Try it out ;)

Ivan c00kiemon5ter Kanakarakis  >:3

More information about the Satosa-dev mailing list