[Satosa-dev] eIDAS integration
Niels van Dijk
niels.vandijk at surfnet.nl
Fri May 4 07:40:07 UTC 2018
thanks again Ivan!
On 03-05-18 18:26, Ivan Kanakarakis wrote:
> On 3 May 2018 at 17:10, Niels van Dijk <niels.vandijk at surfnet.nl> wrote:
>> Hi all (and specifically Ivan as he was committing stuff),
>> I note a commit mentioning eIDAS integration, however what was committed
>> seems a bit too little to actually engage with eIDAS. I am for example
> Yes. What you need is to define that you are using an eIDAS backend.
> So, a configuration would look like:
> module: satosa.backends.saml2.SAMLEIDASBackend
> When you do that, some properties will be defined by default - ie
> want_response_signed will be true, force_authn will be true,
> allow_unsolicited will be false, etc
> pysaml2 already includes eidas related bits. New options include
> - hide_assertion_consumer_service:
> - sp_type: https://github.com/IdentityPython/pysaml2/blob/master/doc/howto/config.rst#sp-type
> - sp_type_in_metadata:
> - requested_attributes:
> SATOSA also uses the entityid_endpoint option (automatically set to
> true when SAMLEIDASBackend is used). This makes the entityid an
> accessible URL.
>> not seeing any reference to eIDAS specific saml extentions. Is all of
>> that covered in pySAML? I found this as well
>> (https://github.com/grnet/pysaml2eidas/tree/devel) , but that does not
>> seem to be used by SatoSa?
> This repo is not used - it should be removed.
>> What would I need to pull together to setup a satosa based eIDAS gateway?
> set the module to be SAMLEIDASBackend
> make the entityid an https url
> configure internal_attributes.yaml to convert eIDAS NaturalPerson or
> LegalPerson attributes to SAML/OIDC/etc
> and you should be set.
> At GRNET we have a working installation with the eIDAS demo
> implementation provided by EU (Java based). That implementation
> requires some more things to work out of the box - ie a 'country'
> property with some value is needed (the demo EU SP node provides a
> countrly selector view) and it seems that only the POST binding is
> Try it out ;)
Niels van Dijk Technical Product Manager Trust & Security
Mob: +31 651347657 | Skype: cdr-80 | PGP Key ID: 0xDE7BB2F5
SURFnet BV | PO.Box 19035 | NL-3501 DA Utrecht | The Netherlands
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Satosa-dev