[Satosa-dev] eIDAS integration

Niels van Dijk niels.vandijk at surfnet.nl
Fri May 4 07:40:07 UTC 2018


thanks again Ivan!


On 03-05-18 18:26, Ivan Kanakarakis wrote:
> Hello,
>
> On 3 May 2018 at 17:10, Niels van Dijk <niels.vandijk at surfnet.nl> wrote:
>> Hi all (and specifically Ivan as he was committing stuff),
>>
>> I note a commit mentioning eIDAS integration, however what was committed
>> (https://github.com/IdentityPython/SATOSA/commit/a0b7cf9eb73714cef76d6ab7249df1a52332fe11#diff-7096df3e286d488b77d9e6f1ff6622c6)
>> seems a bit too little to actually engage with eIDAS. I am for example
> Yes. What you need is to define that you are using an eIDAS backend.
> So, a configuration would look like:
>
>   module: satosa.backends.saml2.SAMLEIDASBackend
>
> When you do that, some properties will be defined by default - ie
> want_response_signed will be true, force_authn will be true,
> allow_unsolicited will be false, etc
>
> pysaml2 already includes eidas related bits. New options include
>
> - hide_assertion_consumer_service:
> https://github.com/IdentityPython/pysaml2/blob/master/doc/howto/config.rst#hide-assertion-consumer-service
> - sp_type: https://github.com/IdentityPython/pysaml2/blob/master/doc/howto/config.rst#sp-type
> - sp_type_in_metadata:
> https://github.com/IdentityPython/pysaml2/blob/master/doc/howto/config.rst#sp-type-in-metadata
> - requested_attributes:
> https://github.com/IdentityPython/pysaml2/blob/master/doc/howto/config.rst#requested-attributes
>
> SATOSA also uses the entityid_endpoint option (automatically set to
> true when SAMLEIDASBackend is used). This makes the entityid an
> accessible URL.
>
>
>> not seeing any reference to eIDAS specific saml extentions. Is all of
>> that covered in pySAML? I found this as well
>> (https://github.com/grnet/pysaml2eidas/tree/devel) , but that does not
>> seem to be used by SatoSa?
> This repo is not used - it should be removed.
>
>> What would I need to pull together to setup a satosa based eIDAS gateway?
>>
> set the module to be SAMLEIDASBackend
> make the entityid an https url
> configure internal_attributes.yaml to convert eIDAS NaturalPerson or
> LegalPerson attributes to SAML/OIDC/etc
> and you should be set.
>
> At GRNET we have a working installation with the eIDAS demo
> implementation provided by EU (Java based). That implementation
> requires some more things to work out of the box - ie a 'country'
> property with some value is needed (the demo EU SP node provides a
> countrly selector view) and it seems that only the POST binding is
> working.
>
> Try it out ;)
>

-- 
Niels van Dijk        Technical Product Manager Trust & Security
Mob: +31 651347657  |   Skype: cdr-80  |  PGP Key ID: 0xDE7BB2F5
SURFnet BV | PO.Box 19035 | NL-3501 DA Utrecht | The Netherlands
www.surfnet.nl                                www.openconext.org


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.sunet.se/pipermail/satosa-dev/attachments/20180504/47e96bff/attachment-0001.sig>


More information about the Satosa-dev mailing list