search

OpenConext / Stepup-SelfService

Stepup Self-service interface
Apache License 2.0
2 stars 5 forks source link

Improve samlstepupproviders configuration #426

Open phavekes opened 1 day ago

phavekes commented 1 day ago

This issue is imported from pivotal - Originaly created at Apr 6, 2018 by Michiel Kodde

Description SelfService, RA and the Gateway configure the SAML StepUp providers in the samlstepupproviders.yml and the matching samlstepupproviders_parameters.yml. This causes a great deal of configuration when adding a new GSSP. This readme is living proof.

We should work toward a solution where the samlstepupproviders is not prone to many changes. The parameters file should take the bulk of the changes when adding a GSSP.

Proposal

  1. Strip the samlstepupproviders.yml config files of the very specified gssp configuration. Example of the new situation:

    imports:
    - { resource: samlstepupproviders_parameters.yml }

    surfnet_stepup_self_service_saml_stepup_provider:
        routes:
            consume_assertion: ss_registration_gssf_consume_assertion
            metadata: ss_registration_gssf_saml_metadata
        providers: %gssp_providers%
  2. Add the structured configuration as an \'array parameter\' to the samlstepupproviders_parameters.yml. Example: 
    parameters:
    gssp_providers:
        tiqr:
            hosted:
                service_provider:
                    public_key: \'/full/path/to/the/public-key-file.cer\'
                    private_key: \'/full/path/to/the/private-key-file.pem\'
                metadata:
                    public_key: \'/full/path/to/the/public-key-file.cer\'
                    private_key: \'/full/path/to/the/private-key-file.pem\'
            remote:
                entity_id: \'https://actual-gssp.entity-id.tld\'
                sso_url: \'https://actual-gssp.entity-id.tld/single-sign-on/url\'
                certificate: \'The contents of the certificate published by the gssp\'
            view_config:
                loa: 3
                logo: \'/path/to/tiqr/tiqr.png\'
                alt:
                    en_GB: \'Tiqr logo\'
                    nl_NL: \'Tiqr logo\'
                title:
                    en_GB: \'Tiqr\'
                    nl_NL: \'Tiqr\'
                # other view config options left out for brevity
        biometric:
        # biometric config here

This change entails the removal of the \'DI Configuration validation config\'.

Comparable validation logic must be added to ensure the correct samlstepupproviders configuration.

Estimation 8hrs (see tasks below)

phavekes commented 1 day ago

Temporary solution (adding the file back to git) https://github.com/OpenConext/Stepup-Gateway/pull/151 (Joris Steyn - Apr 6, 2018)

phavekes commented 1 day ago 
@jodi @pmeulen See my proposal in the description above.
  1. Is this proposal in-line with your expectancies?
  2. Is this something to aim for in sprint/release 15? (Michiel Kodde - Apr 11, 2018)
phavekes commented 1 day ago

Stepup-Deploy now dynamically generates the samlstepupproviders.yml and samlstepupproviders_parameters.yml files for the GW, SS and RA. See e.g.: https://github.com/OpenConext/Stepup-Deploy/blob/develop/roles/stepup-selfservice/templates/samlstepupproviders.yml.j2 https://github.com/OpenConext/Stepup-Deploy/blob/develop/roles/stepup-selfservice/templates/samlstepupproviders_parameters.yml.j2

I think this takes care of the bulk of the GSSP configuration problem. Adding a new GSSP now only requires changes to the environment, no changes to Stepup-Deploy are required. (Pieter van der Meulen - Apr 19, 2018)