3:13 p.m.
Hello,
we've been setting up SATOSA as a proxy that uses the SAML 2.0 backend
to authenticate against a SAML federation, and provides authentication
via the OpenID Connect frontend.
We've successfully managed to map attributes from the SAML side to
scopes on the OIDC side.
However, to qualify these attributes, it seems sensible to also check
the SAML entity ID of the IdP that made the assertions.
How can we expose the entity ID of the IdP asserting the identity of the
user on the OIDC side?
All Best,
Chris
--
Christian Franke
reelport GmbH
Karl-Heine-Str. 93
04229 Leipzig
Germany
Email: christian.franke at picturepipe.com
GPG-KeyID: 0xB657CF42AE512BEE
Phone: +49-157-34575984
Web: http://www.picturepipe.com/
CEO Tilman Scheel
Amtsgericht Duisburg, HRB 17622
USt-IdNr.: DE814323473
2:08 p.m.
Hello again,
On 3/9/21 3:13 PM, Christian Franke wrote:
How can we expose the entity ID of the IdP asserting
the identity of the
user on the OIDC side?
Is this such an uncommon problem that nobody can provide any guidance on
this?
All Best,
Chris
--
Christian Franke
reelport GmbH
Karl-Heine-Str. 93
04229 Leipzig
Germany
Email: christian.franke at picturepipe.com
GPG-KeyID: 0xB657CF42AE512BEE
Phone: +49-157-34575984
Web: http://www.picturepipe.com/
CEO Tilman Scheel
Amtsgericht Duisburg, HRB 17622
USt-IdNr.: DE814323473
2:25 p.m.
Hi,
Comments inline below:
we've been setting up SATOSA as a proxy that uses
the SAML 2.0 backend to
authenticate against a SAML federation, and provides authentication
via the OpenID Connect frontend.
We've successfully managed to map attributes from the SAML side to scopes on
the OIDC side.
However, to qualify these attributes, it seems sensible to also check the
SAML entity ID of the IdP that made the assertions.
How can we expose the entity ID of the IdP asserting the identity of the
user on the OIDC side?
I assume you are asking how to access the entityID of the IdP
asserting the identity within a SATOSA response microservice.
A SATOSA response microservice receives two arguments when it is
invoked. The second argument contains a data structure. You can obtain
the entityID of the authenticating IdP at
data.auth_info.issuer
See the LDAP attribute store microservice, line 408, as an example:
https://github.com/IdentityPython/SATOSA/blob/master/src/satosa/micro_servi…
Another example is the Attribute Modifications response microservice,
line 35:
https://github.com/IdentityPython/SATOSA/blob/master/src/satosa/micro_servi…
HTH,
Scott
6:55 p.m.
Hello Scott,
thank you for pointing out those examples in the micro services, that
was enough to get me started.
At least for our very simple use case, the following micro service is
sufficient to do what we need:
from satosa.micro_services.base import
ResponseMicroService
class EntityID(ResponseMicroService):
"""
Expose SAML 2.0 EntityID as attribute.
"""
def process(self, context, data):
data.attributes['entityID'] = data.auth_info.issuer
return super().process(context, data)
I am loading it from `CUSTOM_PLUGIN_MODULE_PATHS` now, added a mapping
for `entityID` to my `internal_attributes.yaml` and added that attribute
to a scope in the OIDC frontend configuration.
This way, everything is working fine now. :)
All Best,
Chris
--
Christian Franke
reelport GmbH
Karl-Heine-Str. 93
04229 Leipzig
Germany
Email: christian.franke at picturepipe.com
GPG-KeyID: 0xB657CF42AE512BEE
Phone: +49-157-34575984
Web: http://www.picturepipe.com/
CEO Tilman Scheel
Amtsgericht Duisburg, HRB 17622
USt-IdNr.: DE814323473
1334
days inactive
1340
days old
3 comments
2 participants
participants (2)
-
christian.franke@picturepipe.com -
skoranda@gmail.com