Skip to content
This repository has been archived by the owner on Oct 6, 2020. It is now read-only.

OpenConext-Attic/OpenConext-eduproxy

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

OpenConext-eduproxy

Build Status codecov.io

eduProxy is a SAML Proxy acting as a Identity Provider for all eduGain Service Providers and acting as a ServiceProvider in the OpenConext SAML Federation

The Proxy behaviour can be configured in order for the eduProxy to be used as a generic IdP-SP SAML proxy with hooks for authnResponse 'enrichment'.

  • Java 7
  • Maven 3

This project uses Spring Boot and Maven. To run locally, type:

mvn spring-boot:run

When developing, it's convenient to just execute the applications main-method, which is in Application.

The eduProxy metadata is generated and accessible on http://localhost:8080/sp/metadata and http://localhost:8080/idp/metadata. The metadata is cached and refreshed every 24 hours. This can be configured:

proxy:
  # duration of metadata cache (1 day)
  validity_duration_metadata_ms: 86400000

The Service Providers allowed to connect to the eduProxy are provided in a Metadata feed configured in application.yml:

serviceproviders:
  feed: http://mds.edugain.org/

By default - but easily changed / overridden - all Service Providers in the SAML metadata feed are allowed to connect. See ServiceProviderFeedParser.

The feed can also be a file url when developing locally:

serviceproviders:
  feed: classpath:saml/edugain.xml

When developing locally or deploying in a test environment eduProxy can be configured to allow any SP to connect by setting serviceproviders.allow_unknown to true. This is not recommended and the default is false.

serviceproviders:
  allow_unknown: true

The metadata of the IdentityProvider (currently we don't allow more then one and assume that a possible WAYF is the responsibility of the actual IdentityProvider proxied by eduProxy) must be provided in the application.yml

idp:
# metadata_url: https://engine.surfconext.nl/authentication/idp/metadata
  metadata_url: classpath:saml/eb.idp.metadata.xml

There are integration tests that spin off a running application and these can also be run inside the IDE.

There is a test SP endpoint that requires authentication against the configured IdP and displays all SAML attributes received:

http://localhost:8080/test

The production SAML flow with a eduProxy is depicted in this image.

The SAML Spring Security library needs a private DSA key / public certificate pair for the eduProxy IdP / SP which can be generated.

openssl req -subj '/O=Organization, CN=EduProxy/' -newkey rsa:2048 -new -x509 -days 3652 -nodes -out eduproxy.crt -keyout eduproxy.pem

The Java KeyStore expects a pkcs8 DER format for RSA private keys so we have to re-format that key:

openssl pkcs8 -nocrypt  -in eduproxy.pem -topk8 -out eduproxy.der

Remove the whitespace, heading and footer from the eduproxy.crt and eduproxy.der:

cat eduproxy.der |head -n -1 |tail -n +2 | tr -d '\n'; echo
cat eduproxy.crt |head -n -1 |tail -n +2 | tr -d '\n'; echo

Above commands work on linux distributions. On mac you can issue the same command with ghead after you install coreutils:

brew install coreutils

cat eduproxy.der |ghead -n -1 |tail -n +2 | tr -d '\n'; echo
cat eduproxy.crt |ghead -n -1 |tail -n +2 | tr -d '\n'; echo

Add the eduproxy key pair to the application.yml file:

# eduProxy
proxy:
  private_key: ${output from cleaning the der file}
  certificate: ${output from cleaning the crt file}

The eduProxy application has documented properties packaged inside the jar. When deploying to a non-local environment ensure you have application.yml properties outside of the packaged jar to override the eduProxy configuration.

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages