diff --git a/README.md b/README.md
index 26e6727f797aba883d34f1b4f02d69ca9f1db7e5..742a342d825ff65cf4547bcd04c35e81cad8b893 100644
--- a/README.md
+++ b/README.md
@@ -26,11 +26,13 @@ To run the project in containers, it's enough to simply run `docker compose up -
Both the frontend and backend are available under paths starting with their configured names:
-The OIDC frontend is available under the path `/oauth`.
-For instance, `/oauth/jwks` gives information about the key used for signing the JWTs.
+The OIDC frontend is available under the path `/oidc`.
+For instance, `/oidc/jwks` gives information about the key used for signing the JWTs.
-Similarly, the SAML backend endpoints are available under the path `/saml`.
-The SAML metadata is available under `/saml/metadata.xml` in XML format.
+Further information can be found under the top-level endpoint `/.well-known/openid-configuration`.
+
+The SAML backend endpoints are available under the path `/saml`.
+The metadata is available under `/saml/metadata.xml` in XML format.
## SSL/TLS keys
diff --git a/config/oidc-frontend.yaml b/config/oidc-frontend.yaml
index 7ab1b3b4c5390e2889c0f707d3ad309221933c2b..d8b6d84a5b78261d562715efe29e589b0d0183d8 100644
--- a/config/oidc-frontend.yaml
+++ b/config/oidc-frontend.yaml
@@ -3,10 +3,10 @@
# https://github.com/IdentityPython/SATOSA/blob/master/example/plugins/frontends/openid_connect_frontend.yaml.example
#
module: satosa.frontends.openid_connect.OpenIDConnectFrontend
-name: oauth
+name: oidc
config:
signing_key_path: !ENV SATOSA_OIDC_KEY_FILE
- signing_key_id: oauth
+ signing_key_id: oidc
# Defines the database connection URI for the databases:
# - authz_code_db
@@ -35,18 +35,13 @@ config:
# if not specified, it is randomly generated on every startup
sub_hash_salt: !ENV SATOSA_OIDC_HASH_SALT
+ sub_mirror_subject: no
provider:
client_registration_supported: yes
- response_types_supported: ["code"] #, "id_token token"]
+ response_types_supported: ["code"]
subject_types_supported: ["pairwise"]
scopes_supported: ["openid", "email", "profile"]
- extra_scopes:
- foo_scope:
- - bar_claim
- - baz_claim
+ extra_scopes: {}
id_token_lifetime: 3600
- extra_id_token_claims:
- foo_client:
- - bar_claim
- - baz_claim
+ extra_id_token_claims: {}
diff --git a/config/saml2-backend.yaml b/config/saml2-backend.yaml
index 6c0f89276667353bf15e63e1f8258852f7336deb..d4e4a7c243add9ceeb0cbf4608d57aca18c12e87 100644
--- a/config/saml2-backend.yaml
+++ b/config/saml2-backend.yaml
@@ -2,13 +2,20 @@
# based on the example SAML backend configuration:
# https://github.com/IdentityPython/SATOSA/blob/master/example/plugins/backends/saml2_backend.yaml.example
#
+# more information:
+# https://wiki.oasis-open.org/security/FrontPage
+#
module: satosa.backends.saml2.SAMLBackend
name: saml
config:
idp_blacklist_file: blacklist.json
+ # ACR: authentication class context reference
+ # LOA: level of authentication
+ #
+ # we choose PW + TLS, c.f. https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf
acr_mapping:
- "": default-LoA
+ "": urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
# disco_srv must be defined if there is more than one IdP in the metadata specified above
#disco_srv: http://disco.example.com
@@ -59,11 +66,11 @@ config:
- lang: en
text: ["TU Wien", "Research Data"]
logo:
- text: "https://researchdata.tuwien.ac.at/static/images/favicon-32x32.png"
- width: "32"
- height: "32"
- authn_requests_signed: true
- want_response_signed: true
+ text: "https://researchdata.tuwien.ac.at/static/images/tu-wien-logo.png"
+ width: "1000"
+ height: "1000"
+ authn_requests_signed: false
+ want_response_signed: false
allow_unsolicited: true
endpoints:
assertion_consumer_service: