search

indigo-iam / iam

INDIGO Identity and Access Management Service
https://indigo-iam.github.io/
Other
102 stars 43 forks source link

Clarification Needed: Unclear process for automatic retrieval of Renater user attributes and querying roles in IAM Indigo #671

Open bl000m opened 10 months ago

bl000m commented 10 months ago

Hello, I have 2 questions related to user attributes and roles in Indigo IAM, I hope you can help. Thank you in advance

1. Renater User attributes retrieval

When a user authenticates with Renater and registers on the Indigo IAM using the test account etudiant1, they are prompted to manually input attributes such as given name, family name, email, etc. Is there a method to automatically detect and populate these attributes( below the fake attributes provided by Renater for etudiant1) from the Renater profile?

Example Scenario:

2. User role (admin or not, group admin or not) and attributes Retrieval

It's unclear how to retrieve the roles of users registered on the IAM Indigo instance. Additionally, if attributes are added or updated for a user, what is the process for retrieving the updated information?

Example Scenario:

Fake attributes provided by Renater for etudiant1

*
Attribut (a↓z)  Valeur
cn  Dupont Jean
displayName Jean Dupont
eduPersonAffiliation    student;member
eduPersonNickname   Jean
eduPersonOrgDN  dc=renater,dc=fr
eduPersonOrgUnitDN  o=maths,dc=renater,dc=fr
eduPersonPrimaryAffiliation student
eduPersonPrimaryOrgUnitDN   o=maths,dc=renater,dc=fr
eduPersonPrincipalName  etudiant1@test-renater.fr
eduPersonScopedAffiliation  student@test-renater.fr;member@test-renater.fr
eduPersonTargetedID https://test-idp.federation.renater.fr/idp/shibboleth!https://test-sp.federation.renater.fr!G7RU5R5PVWO2EQKBIO3ZHOMTQEQ2MO6J
facsimileTelephoneNumber    0102030405
givenName   Jean
l   Paris
labeledURI  http://example.org/dupont
mail    jean.dupont@formation.renater.fr
mailForwardingAddress   jeanperso@example.org
o   formation.renater.fr
ou  maths
pairwise-id G7RU5R5PVWO2EQKBIO3ZHOMTQEQ2MO6J@test-renater.fr
postalAddress   1 rue de Paris$12345 Ville
preferredLanguage   FR
schacHomeOrganization   test-renater.fr
schacHomeOrganizationType   urn:schac:homeOrganizationType:int:nren
schacPersonalUniqueCode urn:schac:personalUniqueCode:int:esi:fr:1234567890G
sn  Dupont
subject-id  etudiant1@test-renater.fr
supannActivite  {CNU}5404
supannAutreMail etud1@fai1.fr;etud2@fai2.fr
supannAutreTelephone    1234567890
supannCMSType   etudiant
supannCivilite  Mr
supannCodeINE   1234567890G
supannEntiteAffectation z-123;z-124
supannEntiteAffectationPrincipale   z-123
supannEtablissement {ILN}1-341725201;{AUTRE}formation.renater.fr
supannEtuAnneeInscription   2008
supannEtuCursusAnnee    {SUPANN}L3
supannEtuDiplome    {SISE}2001350
supannEtuElementPedagogique {UAI:0171463Y}4929
supannEtuEtape  {UAI:0171463Y}401
supannEtuId 12345
supannEtuInscription    [etab={UAI}0131843H][anneeinsc=2007][regimeinsc={SISE}10][sectdisc={SISE}04][typedip={SISE}YA][cursusann=D3][affect=56R17][diplome={SISE}2001099][etape={UAI:0131843H}B8EFAI-B8EFA3]
supannEtuRegimeInscription  {SISE}10
supannEtuSecteurDisciplinaire   {SISE}27
supannEtuTypeDiplome    {SISE}DC
supannListeRouge    FALSE
supannMailPerso jeanperso@example.org
supannNomDeNaissance    Dupont
supannOIDCDateDeNaissance   1993-02-04
supannOIDCGenre male
supannPrenomsEtatCivil  Jean Pierre
supannRefId {INE}1234567890G;{APOGEE}12345
supannRessourceEtat {MAIL}I:SupannExpire;{COMPTE}A
supannRessourceEtatDate {COMPTE}I:SupannExpire:20211212:20220612;{COMPTE}A:SupannSursis:20210912:20211212;{COMPTE}A::20180115:
supannRoleEntite    [role=PRESIDENT][type=CONSEIL-ETUDIANT]
supannRoleGenerique PRESIDENT-CONSEIL-ETUDIANT
telephoneNumber +33 1 23 45 67 89
title   M.
uid etudiant1
rmiccoli commented 10 months ago

Hi @bl000m,

Hello, I have 2 questions related to user attributes and roles in Indigo IAM, I hope you can help. Thank you in advance

1. Renater User attributes retrieval

When a user authenticates with Renater and registers on the Indigo IAM using the test account etudiant1, they are prompted to manually input attributes such as given name, family name, email, etc. Is there a method to automatically detect and populate these attributes( below the fake attributes provided by Renater for etudiant1) from the Renater profile?

Example Scenario:

* User logs in with Renater credentials.

* Redirected to IAM Indigo for registration.

* Attributes (given name, family name, etc.) are manually entered.

* Is there an automated way to fetch these attributes from the Renater profile?

You can configure it, by adding in your application-*.yml file the following section:

iam:
  registration:
    samlEntityId: ${IAM_SAML_IDP_METADATA}
    authentication-type: saml
    fields:
      name:
        read-only: false
        external-auth-attribute: given_name
      surname:
        read-only: false
        external-auth-attribute: family_name
      email:
        read-only: false
        external-auth-attribute: email
      username:
        read-only: false
        external-auth-attribute: suggested_username

Note that the attribute names (given_name, etc) are derived from the SAML assertion that is returned after authentication with an external provider. Sometimes, for instance, some assertions return preferred_username rather than suggested_username. You can later verify this at the /iam/authn-info endpoint after logging in with your IdP. I think this last sentence also partly answers the second question.

2. User role (admin or not, group admin or not) and attributes Retrieval

It's unclear how to retrieve the roles of users registered on the IAM Indigo instance. Additionally, if attributes are added or updated for a user, what is the process for retrieving the updated information?

Example Scenario:

* User attributes or roles are modified in the IAM Indigo instance.

* How can the client retrieve the updated information?

* How can the roles associated with a user be queried programmatically?

Fake attributes provided by Renater for etudiant1

*
Attribut (a↓z)    Valeur
cn    Dupont Jean
displayName   Jean Dupont
eduPersonAffiliation  student;member
eduPersonNickname Jean
eduPersonOrgDN    dc=renater,dc=fr
eduPersonOrgUnitDN    o=maths,dc=renater,dc=fr
eduPersonPrimaryAffiliation   student
eduPersonPrimaryOrgUnitDN o=maths,dc=renater,dc=fr
eduPersonPrincipalName    etudiant1@test-renater.fr
eduPersonScopedAffiliation    student@test-renater.fr;member@test-renater.fr
eduPersonTargetedID   https://test-idp.federation.renater.fr/idp/shibboleth!https://test-sp.federation.renater.fr!G7RU5R5PVWO2EQKBIO3ZHOMTQEQ2MO6J
facsimileTelephoneNumber  0102030405
givenName Jean
l Paris
labeledURI    http://example.org/dupont
mail  jean.dupont@formation.renater.fr
mailForwardingAddress jeanperso@example.org
o formation.renater.fr
ou    maths
pairwise-id   G7RU5R5PVWO2EQKBIO3ZHOMTQEQ2MO6J@test-renater.fr
postalAddress 1 rue de Paris$12345 Ville
preferredLanguage FR
schacHomeOrganization test-renater.fr
schacHomeOrganizationType urn:schac:homeOrganizationType:int:nren
schacPersonalUniqueCode   urn:schac:personalUniqueCode:int:esi:fr:1234567890G
sn    Dupont
subject-id    etudiant1@test-renater.fr
supannActivite    {CNU}5404
supannAutreMail   etud1@fai1.fr;etud2@fai2.fr
supannAutreTelephone  1234567890
supannCMSType etudiant
supannCivilite    Mr
supannCodeINE 1234567890G
supannEntiteAffectation   z-123;z-124
supannEntiteAffectationPrincipale z-123
supannEtablissement   {ILN}1-341725201;{AUTRE}formation.renater.fr
supannEtuAnneeInscription 2008
supannEtuCursusAnnee  {SUPANN}L3
supannEtuDiplome  {SISE}2001350
supannEtuElementPedagogique   {UAI:0171463Y}4929
supannEtuEtape    {UAI:0171463Y}401
supannEtuId   12345
supannEtuInscription  [etab={UAI}0131843H][anneeinsc=2007][regimeinsc={SISE}10][sectdisc={SISE}04][typedip={SISE}YA][cursusann=D3][affect=56R17][diplome={SISE}2001099][etape={UAI:0131843H}B8EFAI-B8EFA3]
supannEtuRegimeInscription    {SISE}10
supannEtuSecteurDisciplinaire {SISE}27
supannEtuTypeDiplome  {SISE}DC
supannListeRouge  FALSE
supannMailPerso   jeanperso@example.org
supannNomDeNaissance  Dupont
supannOIDCDateDeNaissance 1993-02-04
supannOIDCGenre   male
supannPrenomsEtatCivil    Jean Pierre
supannRefId   {INE}1234567890G;{APOGEE}12345
supannRessourceEtat   {MAIL}I:SupannExpire;{COMPTE}A
supannRessourceEtatDate   {COMPTE}I:SupannExpire:20211212:20220612;{COMPTE}A:SupannSursis:20210912:20211212;{COMPTE}A::20180115:
supannRoleEntite  [role=PRESIDENT][type=CONSEIL-ETUDIANT]
supannRoleGenerique   PRESIDENT-CONSEIL-ETUDIANT
telephoneNumber   +33 1 23 45 67 89
title M.
uid   etudiant1
rmiccoli commented 10 months ago

Also, other user info, like roles, attributes, etc., can be obtained via IAM account API. Only Admins can access this API, but starting from IAM v1.8.2 access is based on the iam:admin.read and iam:admin.write scopes (no longer based on roles).

Ref. https://indigo-iam.github.io/v/v1.8.2/docs/reference/api/account-api/

bl000m commented 10 months ago

Hi @rmiccoli,

Thanks for your response. I'm a bit unsure where to add the .yml file exactly.

I've realized my initial questions may not have been clear. I made a quick video to help explain: Video Link

In the video, you'll see that the Renater test user is asked to register before being redirected to the client callback. So I wonder how the config .yml could fix the problem, may you clarify that ?

I also have another question. After a user is prompted to register in the Indigo IAM instance, can I customize it by showing an alert like "Your request has been sent for approval. You'll be notified once it's validated. Feel free to leave this page. See you soon."? Or it would be even better if we should skip the admin approval for the user if he's affiliated with the entity corresponding to the research infrastructure for which the Indigo IAM Instance is meant. Would it be possible?

For the second question, here's an example scenario for clarification:

Thanks for your help

rmiccoli commented 10 months ago

Hi @rmiccoli,

Thanks for your response. I'm a bit unsure where to add the .yml file exactly.

I've realized my initial questions may not have been clear. I made a quick video to help explain: Video Link

In the video, you'll see that the Renater test user is asked to register before being redirected to the client callback. So I wonder how the config .yml could fix the problem, may you clarify that ?

If you use a docker container, you can mount the file in the default directory /indigo-iam/config. If your file is named application-pippo.yml, remember to set the profile pippo in the IAM_JAVA_OPTS env variable. e.g

IAM_JAVA_OPTS=-Dspring.profiles.active=pippo

I also have another question. After a user is prompted to register in the Indigo IAM instance, can I customize it by showing an alert like "Your request has been sent for approval. You'll be notified once it's validated. Feel free to leave this page. See you soon."? Or it would be even better if we should skip the admin approval for the user if he's affiliated with the entity corresponding to the research infrastructure for which the Indigo IAM Instance is meant. Would it be possible?

No, it is not possible at the moment. We have some work ready on autoprovisioning but there are bugs to work out.

For the second question, here's an example scenario for clarification:

* A user with no admin role logs into FITS via Indigo IAM.

  * How can I find out their role to prevent access to admin features if they can't access the account API?

Thanks for your help

If I understood correctly your question, an authenticated user can only access their own info (attributes, authorities) through web interface. e.g. https://<your-iam-instance>/iam/me/authorities or https://<your-iam-instance>/iam/account/<uuid>/attributes

bl000m commented 10 months ago

Thank you @rmiccoli,

I have a docker compose that mounts on iam-login-service the files generated from other containers.

But still the renater test user is promt for manually add his data in the registration form. where I'm wrong?

NB: thanks for the other question, I think it's clear now

jwtk_generator:
    build:
      context: ./Docker/jwtk_generator
    container_name: jwtk_generator
    env_file:
      - .env
    volumes:
      - jwtk_gen:/app
    command: tail -f /dev/null
    networks:
      - default
    restart: unless-stopped

  cert_generator:
    build:
      context: ./Docker/cert_generator
      args:
        - IAM_SAML_KEY_PASSWORD=${IAM_SAML_KEY_PASSWORD}
        - IAM_HOST=${IAM_HOST}
    container_name: cert_generator
    volumes:
      - cert_gen:/certs
    env_file:
      - .env
    command: tail -f /dev/null
    networks:
      - default
    restart: unless-stopped 

  iam-login-service:
    image: indigoiam/iam-login-service
    container_name: iam-login-service
    ports:
      - 8080:8080
    env_file:
      - .env
    volumes:
      - ./DB/mariadb_data_iam_db:/var/lib/mysql
      - ./Tokens/keystore.jwks:/keystore.jwks
      - ./Certs/self-signed.jks:/self-signed.jks
      - ./Conf/application-renater.yml:/application-renater.yml
    restart: unless-stopped
    depends_on:
      - mariadb_iam_db
      - jwtk_generator
        #- cert_generator
    networks:
      - default
federicaagostini commented 10 months ago

Please replace - ./Conf/application-renater.yml:/application-renater.yml with - ./Conf/application-renater.yml:/indigo-iam/config/application-renater.yml and be sure that in the IAM log you have something like 

2023-11-17 10:34:36.584  INFO 368629 --- [  restartedMain] it.infn.mw.iam.IamLoginService           : The following ... profiles are active: "renater", ...
bl000m commented 10 months ago

I did it. I have this IAM log: The following 7 profiles are active: "prod", "mysql", "flyway-repair", "oidc", "saml", "registration", "renater" but still the user from renater is asked to manually register

To check: if I try:

What I do wrong ? thanks

rmiccoli commented 10 months ago

Once you get to the login form, can you please verify that you can see the attributes given_name, etc., at the /iam/authn-info endpoint?

bl000m commented 10 months ago

At the /iam/authn-infoendpoint I see this (only suggested_username is not null):

{
"type": "SAML",
"issuer": "https://test-idp.federation.renater.fr/idp/shibboleth",
"subject": "lecteur1@test-renater.fr",
"subject_attribute": "urn:oid:1.3.6.1.4.1.5923.1.1.1.13",
"email": null,
"given_name": null,
"family_name": null,
"suggested_username": "lecteur1@test-renater.fr",
"additional_attributes": {
"EPPN": "lecteur1@test-renater.fr",
"EPUID": "lecteur1@test-renater.fr",
"type": "saml",
"idpEntityId": "https://test-idp.federation.renater.fr/idp/shibboleth"
}
}
rmiccoli commented 10 months ago

At the /iam/authn-infoendpoint I see this (only suggested_username is not null):

{
"type": "SAML",
"issuer": "https://test-idp.federation.renater.fr/idp/shibboleth",
"subject": "lecteur1@test-renater.fr",
"subject_attribute": "urn:oid:1.3.6.1.4.1.5923.1.1.1.13",
"email": null,
"given_name": null,
"family_name": null,
"suggested_username": "lecteur1@test-renater.fr",
"additional_attributes": {
"EPPN": "lecteur1@test-renater.fr",
"EPUID": "lecteur1@test-renater.fr",
"type": "saml",
"idpEntityId": "https://test-idp.federation.renater.fr/idp/shibboleth"
}
}

It means that Renater IdP does not provide those attributes, but you should at least see the username field filled out with value lecteur1@test-renater.fr in the registration form.

rmiccoli commented 10 months ago

If you use the student profile, you should get those attributes (I took a look at https://services.renater.fr/federation/en/outils/outils-de-test/idp-de-test).

bl000m commented 10 months ago

At the /iam/authn-infoendpoint I see this (only suggested_username is not null):

{
"type": "SAML",
"issuer": "https://test-idp.federation.renater.fr/idp/shibboleth",
"subject": "lecteur1@test-renater.fr",
"subject_attribute": "urn:oid:1.3.6.1.4.1.5923.1.1.1.13",
"email": null,
"given_name": null,
"family_name": null,
"suggested_username": "lecteur1@test-renater.fr",
"additional_attributes": {
"EPPN": "lecteur1@test-renater.fr",
"EPUID": "lecteur1@test-renater.fr",
"type": "saml",
"idpEntityId": "https://test-idp.federation.renater.fr/idp/shibboleth"
}
}

It means that Renater IdP does not provide those attributes, but you should at least see the username field filled out with value lecteur1@test-renater.fr in the registration form.

Yes I do see the username field but it's mapped on eduPersonPrincipalName, how can I map it on displayName? All the other fields are empty. Actually Renater should provide all the attributes (see above in the first message I posted the fake attributes provided by Renater for etudiant1 or in the link you gave a look at - https://services.renater.fr/federation/en/outils/outils-de-test/idp-de-test - click on our test service provider than federation de test, you can login with the etudiant1credentials to check the attributes) Thanks for your help.

rmiccoli commented 10 months ago

Yes, actually I can see them also by authenticating with the authorized reader profile credentials. The fact that you see the username mapped on eduPersonPrincipalName is due to an IAM internal mapping:

SAML -> IAM

(ref. https://github.com/indigo-iam/iam/blob/master/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/SamlExternalAuthenticationToken.java#L70)

The other SAML attributes are published under additional_attributes claim. They include the commonName (cn), not the displayName, so you could change the configuration by replacing the suggested_username with CN. The weird thing is that the other attributes, like CN, are not shown (or are null) even if they are present. I'll investigate further.