From 2a2bd6323b4760ddc21ca23a65462a3e481d6e9e Mon Sep 17 00:00:00 2001
From: Maximilian Moser <maximilian.moser@tuwien.ac.at>
Date: Fri, 6 Oct 2023 22:17:05 +0200
Subject: [PATCH] Update the SAML configuration

* according to feedback from PB from ACOnet
* while not strictly necessary (because they usually tweak the metadata
  a bit), it's still nice for documentation purposes for us
---
 config/internal_attributes.yaml | 12 ++----
 config/oidc-frontend.yaml       | 10 +++--
 config/saml2-backend.yaml       | 73 +++++++++++++++++++++++++++++++--
 3 files changed, 79 insertions(+), 16 deletions(-)

diff --git a/config/internal_attributes.yaml b/config/internal_attributes.yaml
index 9ae8059..0b3ac8b 100644
--- a/config/internal_attributes.yaml
+++ b/config/internal_attributes.yaml
@@ -1,7 +1,7 @@
 attributes:
   id:
     openid: [sub]
-    saml: [uid, eduPersonTargetedID]
+    saml: [subject-id, pairwise-id, eduPersonPrincipalName, eduPersonUniqueID]
 
   # email, username
   displayname:
@@ -12,9 +12,6 @@ attributes:
     saml: [email, emailAddress, mail]
 
   # name
-  name:
-    openid: [name]
-    saml: [cn]
   firstname:
     openid: [given_name]
     saml: [givenName]
@@ -23,9 +20,8 @@ attributes:
     saml: [sn, surname]
 
   # extra info
-  role:
-    saml: [role]
-  edupersonentitlement:
-    saml: [edupersonentitlement]
+  affiliation:
+    openid: [affiliation]
+    saml: [eduPersonScopedAffiliation, eduPersonAffiliation]
 
 user_id_from_attrs: [id]
diff --git a/config/oidc-frontend.yaml b/config/oidc-frontend.yaml
index d8b6d84..0f81ba6 100644
--- a/config/oidc-frontend.yaml
+++ b/config/oidc-frontend.yaml
@@ -35,13 +35,15 @@ config:
 
   # if not specified, it is randomly generated on every startup
   sub_hash_salt: !ENV SATOSA_OIDC_HASH_SALT
-  sub_mirror_subject: no
+  sub_mirror_public: yes
 
   provider:
     client_registration_supported: yes
     response_types_supported: ["code"]
     subject_types_supported: ["pairwise"]
-    scopes_supported: ["openid", "email", "profile"]
-    extra_scopes: {}
-    id_token_lifetime: 3600
+    scopes_supported: ["openid", "email", "profile", "extras"]
+    extra_scopes:
+      extras:
+        - affiliation
+    id_token_lifetime: 60
     extra_id_token_claims: {}
diff --git a/config/saml2-backend.yaml b/config/saml2-backend.yaml
index 6e90d0c..c8b9aab 100644
--- a/config/saml2-backend.yaml
+++ b/config/saml2-backend.yaml
@@ -4,6 +4,7 @@
 #
 # more information:
 # https://wiki.oasis-open.org/security/FrontPage
+# https://github.com/IdentityPython/pysaml2/blob/master/docs/howto/config.rst
 #
 module: satosa.backends.saml2.SAMLBackend
 name: saml
@@ -38,8 +39,8 @@ config:
     cert_file: !ENV SATOSA_SAML_CERT_FILE
     organization: {display_name: TU Wien, name: TU Wien, url: 'https://www.tuwien.at/'}
     contact_person:
-    - {contact_type: technical, email_address: 'tudata@tuwien.ac.at', given_name: Technical Support}
-    - {contact_type: other, email_address: 'tudata@tuwien.ac.at', given_name: Security Contact}
+      - {contact_type: technical, email_address: 'tudata@tuwien.ac.at', given_name: Technical Support}
+      - {contact_type: other, email_address: 'tudata@tuwien.ac.at', given_name: Security Contact}
 
     metadata:
       remote:
@@ -51,6 +52,18 @@ config:
     entityid: https://researchdata.tuwien.ac.at/saml
     accepted_time_diff: 60
 
+    # we provide information about the entity categories that we want to be part of
+    # these are shorthands for setting the appropriate `entity_attributes` values
+    #
+    # accepted values can be found in the python module `saml2.entity_category`
+    # https://github.com/IdentityPython/pysaml2/tree/master/src/saml2/entity_category
+    entity_category_support:
+      # R&S
+      - "http://refeds.org/category/research-and-scholarship"
+
+      # GEANT Code of Conduct v1
+      - "http://www.geant.net/uri/dataprotection-code-of-conduct/v1"
+
     # Information about the service in question
     service:
       sp:
@@ -74,14 +87,17 @@ config:
             text: "https://researchdata.tuwien.ac.at/static/images/tu-wien-logo.png"
             width: "100"
             height: "100"
+
         authn_requests_signed: false
         want_response_signed: false
+        want_assertions_signed: false
         allow_unsolicited: true
+
         endpoints:
           assertion_consumer_service:
-          - [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+            - [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
           discovery_response:
-          - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
+            - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
 
         # name_id_format: a list of strings to set the <NameIDFormat> element in SP metadata
         # name_id_policy_format: a string to set the Format attribute in the NameIDPolicy element
@@ -89,3 +105,52 @@ config:
         # name_id_format_allow_create: sets the AllowCreate attribute in the NameIDPolicy element
         # of the authentication request
         name_id_format_allow_create: true
+
+        requested_attributes:
+          # "subject-id" (urn:oasis:names:tc:SAML:attribute:subject-id) and
+          # "pairwise-id" (urn:oasis:names:tc:SAML:attribute:pairwise-id) are
+          # special in how they're requested
+          #
+          # fallback for them: "ePPN"
+          # https://help.switch.ch/aai/support/documents/attributes/edupersonprincipalname/
+          - friendly_name: "eduPersonPrincipalName"
+            name: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+            name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+            required: false
+
+          - friendly_name: "mail"
+            name: "urn:oid:0.9.2342.19200300.100.1.3"
+            name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+            required: true
+
+          - friendly_name: "givenName"
+            name: "urn:oid:2.5.4.42"
+            name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
+            required: true
+
+          - friendly_name: "sn"
+            name: "urn:oid:2.5.4.4"
+            name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
+            required: true
+
+          # https://help.switch.ch/aai/support/documents/attributes/displayname/
+          - friendly_name: "displayName"
+            name: "urn:oid:2.16.840.1.113730.3.1.241"
+            name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+            required: false
+
+          # maybe we could collect "eduPersonScopedAffiliation" optionally
+          # https://help.switch.ch/aai/support/documents/attributes/edupersonscopedaffiliation/
+          # - friendly_name: "eduPersonScopedAffiliation"
+          #   name: "urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
+          #   name_format: ""
+          #   required: false
+
+        optional_attributes:
+          - displayName
+          - eduPersonPrincipalName
+
+        required_attributes:
+          - mail
+          - givenName
+          - sn
-- 
GitLab