*** Wartungsfenster jeden ersten Mittwoch vormittag im Monat ***

Skip to content
Snippets Groups Projects
Select Git revision
  • main default protected
1 result
Compare
Name Last commit Last update
config
ssl
.gitignore
Dockerfile
Pipfile
Pipfile.lock
README.md
blacklist.json
docker-compose.yml
env.example
proxy_conf.yaml
run.sh
README.md

OIDC to SAML proxy

This project uses a Satosa instance configured with an OIDC frontend, and a SAML backend.

Requirements

  • Python 3.8+
  • Pipenv

Running the project

Some environment variables need to be set in order to run the project. They are outlined in the example.env.

You should create a .env file and set those values to the required values.

To run the project locally, you need to install the dependencies via pipenv install. Afterwards, you can start the service via run.sh.

To run the project in containers, it's enough to simply run docker compose up --build.

Relevant routes

Both the frontend and backend are available under paths starting with their configured names:

The OIDC frontend is available under the path /oauth. For instance, /oauth/jwks gives information about the key used for signing the JWTs.

Similarly, the SAML backend endpoints are available under the path /saml. The SAML metadata is available under /saml/metadata.xml in XML format.

SSL/TLS keys

Our Satosa setup needs three sets of key files for its operation:

  1. The usual key and certificate for enabling HTTPS on Gunicorn
  2. A key and certificate for SAML signatures
  3. A public/private key pair (but no certificate) for signing OIDC JWTs

Of course, the HTTPS certificate has to be signed by a trusted certificate authority and valid.

The certificate used for SAML signatures doesn't have to be signed by any trusted certificate authority. A self-signed one is absolutely fine, and its expiration date also doesn't matter. It only matters that you're the only one who is able to produce signatures that can be verified by the other SAML participants. The certificate is exposed publicly as part of the SAML metadata. There's no need to update the certificate or private key, just keep the latter safe.

With the public/private key for signing the OIDC JWTs it's similar. There's no need for a certificate here, just the private key file.

Generating keys and certificates

Generate a new private key: certtool --generate-privkey --outfile test.key

Generate a self-signed certificate with a private key: certtool --generate-self-signed --load-privkey test.key --outfile test.crt

Viewing info about keys and files

View info about the private key from a private key file: certtool --key-info --load-privkey test.key

View info about the public key from a private key file: certtool --pubkey-info --load-privkey test.key

View info about a certificate from a certificate file: certtool --certificate-info --infile test.crt

[ 7.May 2h : 3,867 users | 924 groups | 5,198 projects ]