search

OpenConext / OpenConext-attribute-aggregation

OpenConext attribute aggregation
Apache License 2.0
1 stars 2 forks source link

Create sabrest aggregator #130

Closed phavekes closed 1 month ago

phavekes commented 1 month ago

This issue is imported from pivotal - Originaly created at Apr 9, 2024 by Thijs Kinkhorst

The SAB aggregator currently uses the SAML AQ interface of SAB. We want to reduce the amount of APIs SAB has so we want to migrate this to the SAB REST API so we can phase out the AQ API.

We want to add a new attribute source named sabrest, next to the existing unchanged sab source (which will be removed later).

The SAB REST interface is documented here: https://wiki.surfnet.nl/display/SABint/SAB+via+REST-zoekinterface

It needs a GET request to the specified URL with uid and schachomeorg as request parameters which is protected by basic auth:

https://sab-ng.surfnet.nl/api/profile?uid=henny&idp=surfnet.nl

and will return the given JSON string.

Given this example string:

{
    "message": "OK",
    "code": 0,
    "profiles": [
        {  
            "firstname": "Henny",
            "middlename": "van der",
            "surname": "Bekker",
            "email": "henny.bekker@surfnet.nl",
            "mobile": "+31622803490",
            "idp": "surfnet.nl",
            "uid": "henny",
            "guid": "e31bc3d1-1211-e511-80d0-005056956c1a",
            "organisation": {
                "abbrev": "SURFNET",
                "name": "SURFnet bv",
                "guid": "ad93daef-0911-e511-80d0-005056956c1a"
            },
            "authorisations": [
                {  
                    "short": "SUP",
                    "role": "Superuser"
                }, 
                {  
                    "short": "IBV",
                    "role": "Instellingsbevoegde"
                }, 
                {  
                    "short": "OB",
                    "role": "OperationeelBeheerder"
                }
            ]
        }
    ]
}

The expected attribute values to be delivered are:

urn:mace:surfnet.nl:surfnet.nl:sab:role:Superuser
urn:mace:surfnet.nl:surfnet.nl:sab:role:Instellingsbevoegde
urn:mace:surfnet.nl:surfnet.nl:sab:role:OperationeelBeheerder
urn:mace:surfnet.nl:surfnet.nl:sab:organizationCode:SURFNET
urn:mace:surfnet.nl:surfnet.nl:sab:organizationGUID:ad93daef-0911-e511-80d0-005056956c1a

The new aggregator must support two different target attributes to deliver the values to:

urn:mace:dir:attribute-def:eduPersonEntitlement and urn:mace:surf.nl:attribute-def:surf-autorisaties

phavekes commented 1 month ago

https://github.com/OpenConext/OpenConext-attribute-aggregation/commit/c0e3b3ff9703e1c50f77a85f2225af7411198edd (Okke Harsta - May 3, 2024)

phavekes commented 1 month ago

I\'ve put credentials for sab-ng.surfnet.nl in t07:~okke.

I\'ve provided feedback on the commit linked above. (Thijs Kinkhorst - May 8, 2024)

phavekes commented 1 month ago

Incorporated feedback in https://github.com/OpenConext/OpenConext-attribute-aggregation/commit/bb37b00055f7a5e6f57fd564bd3d71d53bcfb9af (Okke Harsta - May 14, 2024)