OpenConext / Stepup-Project

Managing issues for Stepup-* projects
0 stars 0 forks source link

Move RV idP configuration to parameters.yml.dist #319

Closed phavekes closed 4 days ago

phavekes commented 4 days ago

This issue is imported from pivotal - Originaly created at Mar 23, 2020 by bstrooband

The remote_vetting.yml configuration was static during development in order to always keep a working branch without configuration. Before the release of the MVP this needs to be configurable and moved to the parameters.yml.dist.

phavekes commented 4 days ago
@bstrooband the entiityID that needs to be used in order to reflect the config in Deploy is `https://selfservice.stepup.example.com/rv/metadata`. (bstrooband - Feb 22, 2021)
phavekes commented 4 days ago

As discussed. The configuration for the SelfService SAML entity that is used for authentication to the remote vetting IdP is unclear.

The EntityID is configurable, which is unusual: https://github.com/OpenConext/Stepup-SelfService/blob/remote-vetting/config/legacy/parameters.yaml.dist#L120 When configured as "https://selfservice.vetting-poc.surfconext.nl/rv/metadata" this is picked up in the AuthnRequest to the vetting IdP:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_edf05cc902926533b60644c51569e2019fa2be598f22d03bc85ef1d6f571"
                    Version="2.0"
                    IssueInstant="2021-02-22T13:08:23Z"
                    Destination="https://irma.vetting-poc.surfconext.nl/sso"
                    AssertionConsumerServiceURL="https://selfservice.vetting-poc.surfconext.nl/second-factor/acs"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    >
    <saml:Issuer>https://selfservice.vetting-poc.surfconext.nl/rv/metadata</saml:Issuer>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
    </saml:Subject>
    <samlp:RequestedAuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

The ACS location is fixed (here: https://selfservice.vetting-poc.surfconext.nl/second-factor/acs) Also no metadata is published.

Ideally the ACS location and the metadata use the same slug that indicate the usage of the SP. E.g. vetting. And metadata is published at the entityID.

(Pieter van der Meulen - Feb 22, 2021)