Update configuration and README

* rename OIDC frontend * change TU Wien logo in SAML configuration * use proper ACR in SAML * plus some further smaller changes

Update configuration and README
* rename OIDC frontend * change TU Wien logo in SAML configuration * use proper ACR in SAML * plus some further smaller changes
81631fd2 · Moser, Maximilian · 6a8b769d · 81631fd2 · 81631fd2 · 81631fd2
Commit 81631fd2 authored 1 year ago by Moser, Maximilian
--- a/README.md
+++ b/README.md
@@ -26,11 +26,13 @@ To run the project in containers, it's enough to simply run `docker compose up -

 Both the frontend and backend are available under paths starting with their configured names:

-The OIDC frontend is available under the path `/oauth`.
-For instance, `/oauth/jwks` gives information about the key used for signing the JWTs.
+The OIDC frontend is available under the path `/oidc`.
+For instance, `/oidc/jwks` gives information about the key used for signing the JWTs.

-Similarly, the SAML backend endpoints are available under the path `/saml`.
-The SAML metadata is available under `/saml/metadata.xml` in XML format.
+Further information can be found under the top-level endpoint `/.well-known/openid-configuration`.
+
+The SAML backend endpoints are available under the path `/saml`.
+The metadata is available under `/saml/metadata.xml` in XML format.


 ## SSL/TLS keys

--- a/config/oidc-frontend.yaml
+++ b/config/oidc-frontend.yaml
@@ -3,10 +3,10 @@
 # https://github.com/IdentityPython/SATOSA/blob/master/example/plugins/frontends/openid_connect_frontend.yaml.example
 #
 module: satosa.frontends.openid_connect.OpenIDConnectFrontend
-name: oauth
+name: oidc
 config:
  signing_key_path: !ENV SATOSA_OIDC_KEY_FILE
-  signing_key_id: oauth
+  signing_key_id: oidc

  # Defines the database connection URI for the databases:
  # - authz_code_db
@@ -35,18 +35,13 @@ config:

  # if not specified, it is randomly generated on every startup
  sub_hash_salt: !ENV SATOSA_OIDC_HASH_SALT
+  sub_mirror_subject: no

  provider:
    client_registration_supported: yes
-    response_types_supported: ["code"] #, "id_token token"]
+    response_types_supported: ["code"]
    subject_types_supported: ["pairwise"]
    scopes_supported: ["openid", "email", "profile"]
-    extra_scopes:
-      foo_scope:
-      - bar_claim
-      - baz_claim
+    extra_scopes: {}
    id_token_lifetime: 3600
-    extra_id_token_claims:
-      foo_client:
-        - bar_claim
-        - baz_claim
+    extra_id_token_claims: {}
--- a/config/saml2-backend.yaml
+++ b/config/saml2-backend.yaml
@@ -2,13 +2,20 @@
 # based on the example SAML backend configuration:
 # https://github.com/IdentityPython/SATOSA/blob/master/example/plugins/backends/saml2_backend.yaml.example
 #
+# more information:
+# https://wiki.oasis-open.org/security/FrontPage
+#
 module: satosa.backends.saml2.SAMLBackend
 name: saml
 config:
  idp_blacklist_file: blacklist.json

+  # ACR: authentication class context reference
+  # LOA: level of authentication
+  #
+  # we choose PW + TLS, c.f. https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf
  acr_mapping:
-    "": default-LoA
+    "": urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

  # disco_srv must be defined if there is more than one IdP in the metadata specified above
  #disco_srv: http://disco.example.com
@@ -59,11 +66,11 @@ config:
            - lang: en
              text: ["TU Wien", "Research Data"]
          logo:
-            text: "https://researchdata.tuwien.ac.at/static/images/favicon-32x32.png"
-            width: "32"
-            height: "32"
-        authn_requests_signed: true
-        want_response_signed: true
+            text: "https://researchdata.tuwien.ac.at/static/images/tu-wien-logo.png"
+            width: "1000"
+            height: "1000"
+        authn_requests_signed: false
+        want_response_signed: false
        allow_unsolicited: true
        endpoints:
          assertion_consumer_service: