Closed phavekes closed 4 days ago
@bstrooband the entiityID that needs to be used in order to reflect the config in Deploy is `https://selfservice.stepup.example.com/rv/metadata`. (bstrooband - Feb 22, 2021)
As discussed. The configuration for the SelfService SAML entity that is used for authentication to the remote vetting IdP is unclear.
The EntityID is configurable, which is unusual: https://github.com/OpenConext/Stepup-SelfService/blob/remote-vetting/config/legacy/parameters.yaml.dist#L120 When configured as "https://selfservice.vetting-poc.surfconext.nl/rv/metadata" this is picked up in the AuthnRequest to the vetting IdP:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_edf05cc902926533b60644c51569e2019fa2be598f22d03bc85ef1d6f571"
Version="2.0"
IssueInstant="2021-02-22T13:08:23Z"
Destination="https://irma.vetting-poc.surfconext.nl/sso"
AssertionConsumerServiceURL="https://selfservice.vetting-poc.surfconext.nl/second-factor/acs"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
<saml:Issuer>https://selfservice.vetting-poc.surfconext.nl/rv/metadata</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</saml:Subject>
<samlp:RequestedAuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
The ACS location is fixed (here: https://selfservice.vetting-poc.surfconext.nl/second-factor/acs) Also no metadata is published.
Ideally the ACS location and the metadata use the same slug that indicate the usage of the SP. E.g. vetting. And metadata is published at the entityID.
(Pieter van der Meulen - Feb 22, 2021)
This issue is imported from pivotal - Originaly created at Mar 23, 2020 by bstrooband
The remote_vetting.yml configuration was static during development in order to always keep a working branch without configuration. Before the release of the MVP this needs to be configurable and moved to the parameters.yml.dist.