Remote SFO IdP metadata and AuthnConextClassRefs must be configurable

[phavekes]

This issue is imported from pivotal - Originaly created at Jun 14, 2019 by Thijs Kinkhorst

To make SFO calls, engine needs the config of the SFO IdP Entity and the SFO AuthnConextClassRefs to use. Because these differ from the AuthnConextClassRefs that engine must communicate to SPs, a "translation table" is needed.

SAML Metadata In order to be able to call the remote OpenConext-Stepup SFO endpoint, EB needs to know its metadata (I.e. the metadata of the SAML IdP Entity published at https:///second-factor-only/metadata):

Needed information is:

• EntityID
• SSO location
• SAML Signing Certificate

These can be global configuration file parameters. We do not want to dynamically import/configure these from the metadata published by the Stepup-Gateway. These parameters must not be mandatory for regular EB operation (since an install may not also have a OpenConext-Stepup setup).

AuthnConextClassRefs The AuthnConextClassRef values are specific to an OpenConext-Stepup installation. Moreover the values used by the "standard" authentication endpoint of the Stepup-Gateway (which engine will emulate) differ from those used by the SFO endpoint. This means that a translation table is required to be able to convert between two.

Additionally engine needs to be able to express to the SP that, if allowed by the configuration, a user did not have an (active) token that allowed authentication at the requested level (see: Scenario 3 in https://www.pivotaltracker.com/story/show/166729297). This corresponds to the LoA 1 authentication policy of the Stepup-Gateway.

So the needed information is:

• The AuthnConextClassRef to use for LoA 1 (i.e. the value of gateway_loa_loa1 in https://github.com/OpenConext/Stepup-Gateway/blob/develop/app/config/parameters.yml.dist#L121)
• A two-way mapping from "AuthnConextClassRef configured in manage and used in the assertion to the SP" to "AuthnConextClassRef to use with she SFO endpoint of the Stepup-Gateway". For the Current Stepup-Gateway this table will have two entries (but I suggest not limiting the number of entries in this table):
  1. gateway_loa_loa2 <-> second_factor_only_loa_loa2 (I.e. https://github.com/OpenConext/Stepup-Gateway/blob/develop/app/config/parameters.yml.dist#L122 to https://github.com/OpenConext/Stepup-Gateway/blob/develop/app/config/parameters.yml.dist#L126)
  2. gateway_loa_loa3 <-> second_factor_only_loa_loa3 (i.e. https://github.com/OpenConext/Stepup-Gateway/blob/develop/app/config/parameters.yml.dist#L123 to https://github.com/OpenConext/Stepup-Gateway/blob/develop/app/config/parameters.yml.dist#L127)

These can be global configuration file parameters. These parameters must not be mandatory for regular EB operation (since an install may not also have a OpenConext-Stepup setup).

Estimation: 6 - 8h

[phavekes]

Both the SFO endpoint data and the lookup table can be neatly expressed in an SFO entity/value objects (Michiel Kodde - Jul 9, 2019)