7:43 p.m.
On 1/24/23 09:43, U W wrote:
The idea is this one:
- Keycloak should see only one Identity Provider 'Edugain': in reality it is
Satosa behind
- and Satosa discovers the Edugain federations
I'm not comfortable with these technologies / these protocols (Keycloak, Satosa, SP,
IDP, SAML, etc) and therefore I don't understand how to configure all components...
Is this someone did the same (Keycloak or Gluu + Satosa + Edugain) and could share with
me an example of configurations please?
At least the Satosa configuration files (frontend, backend, etc).
We have a web application that uses an OIDC interface to Satosa to get
authentication information for users provided by federated SAML IdPs,
some of them from EduGain.
All in all our setup looks roughly like this:
+---------+ OIDC +--------+ SAML +---------+
| Web App |---------| Satosa |---------| IdPs |
+---------+ +--------+ +---------+
| MDQ
+--------+ HTTP +--------------------------+
| pyFF |---------|Federation Metadata Server|
+--------+ +--------------------------+
| MDQ
+-----------+
| thisss.js |
+-----------+
Satosa handles the translation between SAML and OIDC.
The web app just sees a single OIDC ID Provider and Satosa takes care of
the SAML federation.
For a federation of the size of EduGain we ended up using pyFF with MDQ
to supply metadata to Satosa because this seems to scale a lot better
than importing the metadata directly into Satosa.
This also allows us to include exactly those IdPs that we want as pyFF
can do very flexible filtering an rewriting.
To allow users to select their home institution in a comfortable way in
a list that encompasses all the IdPs we import from multiple sources, we
run thisss.js as WAYF server.
I think a setup similar to this one should also work for your usecase.
If you run exactly with the IdPs from EduGain, then you also don't need
to run your own WAYF server but can use a public one instead.
-Chris