Microservices for SATOSA authentication proxy, made by the Perun team
Project description
satosacontrib.perun
Microservices for SATOSA authentication proxy, made by the Perun team.
Backends
Seznam backend
A backend for SATOSA which implements login using Seznam OAuth.
Use the example config and fill in your client ID and client secret.
Microservices
AuthSwitcher Lite
This request microservice takes ACRs (AuthnContextClassRefs in SAML, acr_values in OIDC) from a frontend and sets them as requested ACRs for the backends. It relies on SATOSA!419
Context attributes microservice
The microservice adds the target IdP data to attributes:
- display name
- logo
- target issuer
The MetaInfoIssuer microservice needs to be run beforehand with the following patch. Another patch is also needed for the satosa package until they are incorporated into the upstream.
Is banned microservice
The microservice connects to database storing user bans and redirects banned users to configured URL.
Persist authorization params microservice
This request microservice retrieves configured parameters from GET or POST request (if available) and stores the values to internal context state.
Forward authorization params microservice
This request microservice retrieves configured parameters from GET or POST request (if available) and
forwards them through a context parameter. Optionally, default_values
can be
provided in the config file. These will be forwarded for configured SP and/or IdP if
not provided in the GET/POST request. If the parameter with preconfigured
default value is sent via GET/POST request anyway, the value form the request will be
used instead of the default.
Session started with microservice
This Satosa microservice checks, if configured attribute's value is present in "session_started_with" values (retrieved by Persist authorization params microservice). If so, adds attribute with configured name. The value is expected to be converted to boolean by Attribute typing microservice.
Compute eligibility microservice
The microservice obtains dict with format { eligiblility_type: <unix_timestamp> }
from the internal data and runs a function configured for the
given eligibility type. The config is of format type: function_path
.
The function should have a following signature:
example_func(data: InternalData, *args, **kwargs) -> timestamp | bool
, and it either returns False
or
a new timestamp, in which case the time in the dictionary is
updated in internal data. It strongly relies on the PerunAttributes microservice to fill the dict
beforehand. If you want to update eligibility in the IDM, use the UpdateUserExtSource microservice.
NameID Attribute microservice
This microservice copies SAML NameID to an internal attribute with preconfigured name (and format).
It has two modes of operation. The deprecated way of configuring the microservice requires the config to
include nameid_attribute: saml2_nameid_persistent
, where saml2_nameid_persistent
stands for the name of the SAML NameID
attribute in format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
. The new way of configuring this
microservice expects a dictionary named nameid_attributes
containing items
like saml2_nameid_format: saml2_nameid_attribute
. In case of the newer configuration, both the format and attribute need
to be configured correctly in order for the NameID attribute to be copied to the internal attribute.
If one of the ways to use the microservice is configured, it will be used. If both ways are configured, the newer way of configuration - dictionary, will be used.
Demonstrations of both ways of configuration are shown in the example config.
Perun Microservices
Subpackage of microservices connecting to perun. These have to be allowed (or not denied) for a given combination of requester/target_entity in order to run.
Additional Identifiers
Takes user attributes by config, checks values with regexes and creates hashes by specified algorithm. Values prepared to hash are parsed into List of List of strings and serialized with json. User ext source and user is found by mathing this hashes. If not even one hash can be created, user will be redirected to error page. If user is not found, he will be redirected to registration page.
This microservice does not update the user in Perun with new values. To update save freshly computed values for the
current user, you need to run update_user_ext_source
microservice.
RFC - eduTEAMS Identifier Generation
Differences between our soulution and RFC:
- the selections are represented as list of list of attributes values serialized to JSON
- all identifiers are hashed by same hash function and with same salt
- The user’s home IdP entity-id does not need to be part of selection
- hashed values can be scoped but does not have to be
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for satosacontrib.perun-4.0.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | d5f8cbaa65427f3a82fe6a2d6153c19c836b2a7c5b8e520092a854bfa9c0d083 |
|
MD5 | f42260ddd889d2f9d5603f1a87007c4e |
|
BLAKE2b-256 | 3ca71ddda83d3538df2342e9dacadb0c3ecf03a909712e51cd652311170ed848 |
Hashes for satosacontrib.perun-4.0.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 2df4679b50ffb8e1ba6173e7ce6c0c4be0aee9cefd54c171fd02c895083d169c |
|
MD5 | 5d1459d16229747b2e9de1fa36818306 |
|
BLAKE2b-256 | a54be0370d5ee830633d90523894c79c5418882551ab725ff3f8967025aebe0c |