CZ-NIC / django-eidas-specific-node

GNU General Public License v3.0
2 stars 2 forks source link

eIDAS Specific Node

Django implementation of member specific Connector and Proxy Service for CEF eIDAS Node version 2.4 and later.

Requirements

Changes

See CHANGELOG.md for changes.

Specific Proxy Service

Sample settings are provided in samples/proxy_service_settings.py.

Usage

To use eIDAS Proxy Service, adjust Django settings:

Settings

PROXY_SERVICE_REQUEST_TOKEN

Settings of a light token corresponding to an incoming light request. A dictionary with following items:

PROXY_SERVICE_RESPONSE_TOKEN

Settings of a light token corresponding to an outgoing light response. A dictionary with following items:

PROXY_SERVICE_LIGHT_STORAGE

Settings for a storage of light requests and responses. A dictionary with following items:

PROXY_SERVICE_IDENTITY_PROVIDER

Settings for the interaction with Identity Provider. A dictionary with following items:

PROXY_SERVICE_EIDAS_NODE

Settings for the interaction with eIDAS Node. A dictionary with following items:

PROXY_SERVICE_TRANSIENT_NAME_ID_FALLBACK

Optional boolean, disabled by default. If enabled, PROXY_SERVICE_AUXILIARY_STORAGE must be set too. If the transient name ID format is requested in the request but a different format is provided in the response, a new random transient ID is generated instead of the provided ID.

PROXY_SERVICE_TRACK_COUNTRY_CODE

Optional boolean, disabled by default. If enabled, PROXY_SERVICE_AUXILIARY_STORAGE must be set too. Once enabled, the country code of the request is logged along with the status of the corresponding request.

PROXY_SERVICE_AUXILIARY_STORAGE

An auxiliary storage to hold some response metadata needed during request processing. It is required if PROXY_SERVICE_TRACK_COUNTRY_CODE or PROXY_SERVICE_TRANSIENT_NAME_ID_FALLBACK is enabled.

A dictionary with following items:

PROXY_SERVICE_LEVELS_OF_ASSURANCE

An optional mapping of Authentication Context Classes (str) to Levels of Assurance (eidas_node.constants.LevelOfAssurance). The default mapping is empty so other classes than Levels of Assurance are unrecognized and propagated as an error. Example:

from eidas_node.constants import LevelOfAssurance
PROXY_SERVICE_LEVELS_OF_ASSURANCE = {
    'urn:oasis:names:tc:SAML:2.0:ac:classes:Password': LevelOfAssurance.LOW,
}

Customization

You can customize the authorization flow by subclassing view classes in eidas_node.proxy_service.views, overriding necessary methods and adjusting URL configuration.

CZ NIA

eidas_node.proxy_service.cznia (ROOT_URLCONF = 'eidas_node.proxy_service.cznia.urls') contains modifications required for CZ NIA (the official identity provider of the Czech Republic) with following settings:

Specific Connector

Sample settings are provided in samples/connector_settings.py.

Usage

To use eIDAS Connector, adjust Django settings:

Views

Setting ROOT_URLCONF to eidas_node.connector.urls will provide you with three main views:

Setting ROOT_URLCONF to eidas_node.connector.demo.urls will provide you with two additional views:

Settings

CONNECTOR_REQUEST_TOKEN

Settings of a light token corresponding to an outgoing light request. A dictionary with following items:

CONNECTOR_RESPONSE_TOKEN

Settings of a light token corresponding to an incoming light response. A dictionary with following items:

CONNECTOR_LIGHT_STORAGE

Settings for a storage of light requests and responses. A dictionary with following items:

CONNECTOR_SERVICE_PROVIDER

Settings for the interaction with Service Provider. A dictionary with following items:

CONNECTOR_EIDAS_NODE

Settings for the interaction with eIDAS Node. A dictionary with following items:

CONNECTOR_ALLOWED_ATTRIBUTES

A set containing URI names (strings, e.g. 'http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier') of attributes that a service provider can request. Other attributes are dropped from the authentication request. All eIDAS natural and legal person attributes are enabled by default. An empty set disables the filter.

CONNECTOR_SELECTOR_COUNTRIES

A list of pairs with country code and name to be displayed in citizen country selector (/CitizenCountrySelector). Default is all 28 countries of EU.

CONNECTOR_TRACK_COUNTRY_CODE

Optional boolean, disabled by default. If enabled, CONNECTOR_AUXILIARY_STORAGE must be set too. Once enabled, the country code of the request is logged along with the status of the corresponding request.

CONNECTOR_AUXILIARY_STORAGE

An auxiliary storage to hold some response metadata needed during request processing. It is required if CONNECTOR_TRACK_COUNTRY_CODE is enabled.

A dictionary with following items:

Customization

You can customize the authorization flow by subclassing view classes in eidas_node.connector.views, overriding necessary methods and adjusting URL configuration.

Copyright