8:55 a.m.
Hi Christian, Bertrand,
We do exactly the same at CERN (eduGAIN -> Satosa -> Keycloak) and it works well.
We are also pretty happy with Keycloak as an open source AAI (it works with our number of
clients - roughly 12,000 - and seems to have a good sustainability model). I know the EOSC
team were also enhancing Keycloak to support federations properly. We also considered Gluu
when we were deciding.
Do you have any examples of a public WAYF?
We were also planning to use Satosa as an outbound proxy to eduGAIN for CERN users
accessing eduGAIN SPs. When I tried this a few years ago there were blocking issues with
encryption to shibboleth SPs so we had to roll back. I don’t know whether this is
solved.
Cheers,
Hannah
On 30 Jan 2023, at 19:43, Christian Franke
<christian.franke(a)chronist.net> wrote:
On 1/24/23 09:43, U W wrote:
The idea is this one:
- Keycloak should see only one Identity Provider 'Edugain': in reality it is
Satosa behind
- and Satosa discovers the Edugain federations
I'm not comfortable with these technologies / these protocols (Keycloak, Satosa, SP,
IDP, SAML, etc) and therefore I don't understand how to configure all components...
Is this someone did the same (Keycloak or Gluu + Satosa + Edugain) and could share with
me an example of configurations please?
At least the Satosa configuration files (frontend, backend, etc).
We have a web application that uses an OIDC interface to Satosa to get authentication
information for users provided by federated SAML IdPs, some of them from EduGain.
All in all our setup looks roughly like this:
+---------+ OIDC +--------+ SAML +---------+
| Web App |---------| Satosa |---------| IdPs |
+---------+ +--------+ +---------+
| MDQ
+--------+ HTTP +--------------------------+
| pyFF |---------|Federation Metadata Server|
+--------+ +--------------------------+
| MDQ
+-----------+
| thisss.js |
+-----------+
Satosa handles the translation between SAML and OIDC.
The web app just sees a single OIDC ID Provider and Satosa takes care of the SAML
federation.
For a federation of the size of EduGain we ended up using pyFF with MDQ to supply
metadata to Satosa because this seems to scale a lot better than importing the metadata
directly into Satosa.
This also allows us to include exactly those IdPs that we want as pyFF can do very
flexible filtering an rewriting.
To allow users to select their home institution in a comfortable way in a list that
encompasses all the IdPs we import from multiple sources, we run thisss.js as WAYF
server.
I think a setup similar to this one should also work for your usecase. If you run exactly
with the IdPs from EduGain, then you also don't need to run your own WAYF server but
can use a public one instead.
-Chris
_______________________________________________
satosa-users mailing list -- satosa-users(a)lists.sunet.se
To unsubscribe send an email to satosa-users-leave(a)lists.sunet.se