An implementation of eIDAS-Node 2.3.x Specific Connector and Proxy Service.
Project description
eIDAS Specific Node
Django implementation of member specific Connector and Proxy Service for CEF eIDAS Node version 2.4 and later.
Requirements
- Django 2.2.x
- Django AppSettings >= 0.5
- lxml
- xmlsec
- Apache Ignite Python client (optional)
Changes
See CHANGELOG.md for changes.
Specific Proxy Service
Sample settings are provided in samples/proxy_service_settings.py
.
Usage
To use eIDAS Proxy Service, adjust Django settings:
- Set up Django template engine and static files.
- Add
'eidas_node.proxy_service.apps.ProxyServiceConfig'
toINSTALLED_APPS
. - Set
ROOT_URLCONF
to'eidas_node.proxy_service.urls'
or include it in your URL configuration. - Provide mandatory configuration options
PROXY_SERVICE_REQUEST_TOKEN
,PROXY_SERVICE_RESPONSE_TOKEN
,PROXY_SERVICE_LIGHT_STORAGE
, andPROXY_SERVICE_IDENTITY_PROVIDER
(see below).
Settings
PROXY_SERVICE_REQUEST_TOKEN
Settings of a light token corresponding to an incoming light request. A dictionary with following items:
HASH_ALGORITHM
(optional, default'sha256'
): A hash algorithm used for token digest.SECRET
(required): A token secret shared with eIDAS node.ISSUER
(required): An issuer of the light token.LIFETIME
(optional, default10
): A lifetime of the light token in minutes until is its considered expired. Set to0
for unlimited lifetime.PARAMETER_NAME
(optional, default'token'
): The name of the HTTP POST parameter to provide encoded light token.
PROXY_SERVICE_RESPONSE_TOKEN
Settings of a light token corresponding to an outgoing light response. A dictionary with following items:
HASH_ALGORITHM
(optional, default'sha256'
): A hash algorithm used for token digest.SECRET
(required): A token secret shared with eIDAS node.ISSUER
(required): An issuer of the light token.PARAMETER_NAME
(optional, default'token'
): The name of the HTTP POST parameter to provide encoded light token.
PROXY_SERVICE_LIGHT_STORAGE
Settings for a storage of light requests and responses. A dictionary with following items:
BACKEND
(optional, default'eidas_node.storage.ignite.IgniteStorage'
): The backend class for communication with the light storage.OPTIONS
(required): A dictionary with configuration of the selected backend. TheIgniteStorage
backend expects following options:host
: Apache Ignite service host.port
: Apache Ignite service port.request_cache_name
: The cache to retrieve light requests (e.g.,nodeSpecificProxyserviceRequestCache
).response_cache_name
: The cache to store light responses (e.g.,specificNodeProxyserviceResponseCache
).timeout
: A timeout for socket operations.
PROXY_SERVICE_IDENTITY_PROVIDER
Settings for the interaction with Identity Provider. A dictionary with following items:
ENDPOINT
(required): The URL where the Identity Provider expects authentication requests.REQUEST_ISSUER
(required): The issuer of the authentication request registered at Identity Provider.KEY_FILE
(optional, defaultNone
): The path of a key to decrypt Identity Provider's authentication response.CERT_FILE
(optional, defaultNone
): The path of a certificate to verify the signature of Identity Provider's authentication response.REQUEST_SIGNATURE
(dictionary, required, use{}
to disable signing): Options for signing SAML requests sent to Service Provider:KEY_FILE
(required, string): The path to a signing key.CERT_FILE
: (required, string): The path to the corresponding certificate.SIGNATURE_METHOD
(optional, string, defaultRSA_SHA512
): XML signature method.DIGEST_METHOD
(optional, string, defaultSHA512
): XML digest method.
PROXY_SERVICE_EIDAS_NODE
Settings for the interaction with eIDAS Node. A dictionary with following items:
PROXY_SERVICE_RESPONSE_URL
(required): The URL where eIDAS Node expects authentication responses (e.g.,https://test.example.net/EidasNode/SpecificProxyServiceResponse
).RESPONSE_ISSUER
(required): The issuer for light responses specified in eIDAS Node configuration.
PROXY_SERVICE_TRANSIENT_NAME_ID_FALLBACK
Optional boolean, disabled by default.
If enabled, PROXY_SERVICE_AUXILIARY_STORAGE
must be set too.
If the transient name ID format is requested in the request but a different format is provided in the response, a new random transient ID is generated instead of the provided ID.
PROXY_SERVICE_TRACK_COUNTRY_CODE
Optional boolean, disabled by default.
If enabled, PROXY_SERVICE_AUXILIARY_STORAGE
must be set too.
Once enabled, the country code of the request is logged along with the status of the corresponding request.
PROXY_SERVICE_AUXILIARY_STORAGE
An auxiliary storage to hold some response metadata needed during request processing.
It is required if PROXY_SERVICE_TRACK_COUNTRY_CODE
or PROXY_SERVICE_TRANSIENT_NAME_ID_FALLBACK
is enabled.
A dictionary with following items:
BACKEND
(optional, default'eidas_node.storage.ignite.AuxiliaryIgniteStorage'
): The backend class for communication with the light storage.OPTIONS
(required): A dictionary with configuration of the selected backend. TheAuxiliaryIgniteStorage
backend expects following options:host
: Apache Ignite service host.port
: Apache Ignite service port.cache_name
: The cache to store the data.prefix
: The prefix for cache keys (optional).timeout
: A timeout for socket operations.
PROXY_SERVICE_LEVELS_OF_ASSURANCE
An optional mapping of Authentication Context Classes (str
) to Levels of Assurance (eidas_node.constants.LevelOfAssurance
).
The default mapping is empty so other classes than Levels of Assurance are unrecognized and propagated as an error. Example:
from eidas_node.constants import LevelOfAssurance
PROXY_SERVICE_LEVELS_OF_ASSURANCE = {
'urn:oasis:names:tc:SAML:2.0:ac:classes:Password': LevelOfAssurance.LOW,
}
Customization
You can customize the authorization flow by subclassing view classes in eidas_node.proxy_service.views
, overriding necessary methods and adjusting URL configuration.
CZ NIA
eidas_node.proxy_service.cznia
(ROOT_URLCONF = 'eidas_node.proxy_service.cznia.urls'
) contains modifications required for CZ NIA (the official identity provider of the Czech Republic) with following settings:
PROXY_SERVICE_STRIP_PREFIX
(boolean, optional, defaultFalse
): If the Subject ID starts with a'CZ/CZ/'
prefix, it is stripped.
Specific Connector
Sample settings are provided in samples/connector_settings.py
.
Usage
To use eIDAS Connector, adjust Django settings:
- Set up Django template engine and static files.
- Add
'eidas_node.connector.apps.ConnectorConfig'
toINSTALLED_APPS
. - Set
ROOT_URLCONF
to'eidas_node.connector.urls'
or include it in your URL configuration. - Provide mandatory configuration options
CONNECTOR_REQUEST_TOKEN
,CONNECTOR_RESPONSE_TOKEN
,CONNECTOR_LIGHT_STORAGE
, andCONNECTOR_SERVICE_PROVIDER
(see below).
Views
Setting ROOT_URLCONF
to eidas_node.connector.urls
will provide you with three main views:
-
/CountrySelector
: Accepts a SAML Request and Relay State from Service Provider and lets user select his/her country unless it has already been provided. The SAML Request is then forwarded to/ServiceProviderRequest
endpoint.- Method: HTTP POST.
- POST Parameters:
SAMLRequest
(required): A SAML request to forward to eIDAS Network.RelayState
(required): A relay state.country
or the value set inCONNECTOR_SERVICE_PROVIDER['COUNTRY_PARAMETER']
(optional): Citizen country code.
-
/ServiceProviderRequest
: Accepts a SAML Request, Relay State and citizen country code from Service Provider and forwards the request to eIDAS Network.- Method: HTTP POST.
- POST Parameters:
SAMLRequest
(required): A SAML request to forward to eIDAS Network.RelayState
(required): A relay state.country
or the value set inCONNECTOR_SERVICE_PROVIDER['COUNTRY_PARAMETER']
(required): Citizen country code.
-
/ConnectorResponse
: Accepts a light token from eIDAS Network and forwards corresponding light response to Service Provider.- Method: HTTP POST.
- POST Parameters:
token
or the value set inCONNECTOR_RESPONSE_TOKEN['PARAMETER_NAME']
(required): A light token corresponding to a light response.
Setting ROOT_URLCONF
to eidas_node.connector.demo.urls
will provide you with two additional views:
/DemoServiceProviderRequest
: A demo service provider page for sending preset SAML requests to Specific Connector./DemoServiceProviderResponse
: A demo service provider page for displaying SAML responses from Specific Connector.
Settings
CONNECTOR_REQUEST_TOKEN
Settings of a light token corresponding to an outgoing light request. A dictionary with following items:
HASH_ALGORITHM
(optional, default'sha256'
): A hash algorithm used for token digest.SECRET
(required): A token secret shared with eIDAS node.ISSUER
(required): An issuer of the light token.PARAMETER_NAME
(optional, default'token'
): The name of the HTTP POST parameter to provide encoded light token.
CONNECTOR_RESPONSE_TOKEN
Settings of a light token corresponding to an incoming light response. A dictionary with following items:
HASH_ALGORITHM
(optional, default'sha256'
): A hash algorithm used for token digest.SECRET
(required): A token secret shared with eIDAS node.ISSUER
(required): An issuer of the light token.PARAMETER_NAME
(optional, default'token'
): The name of the HTTP POST parameter to provide encoded light token.LIFETIME
(optional, default10
): A lifetime of the light token in minutes until is its considered expired. Set to0
for unlimited lifetime.
CONNECTOR_LIGHT_STORAGE
Settings for a storage of light requests and responses. A dictionary with following items:
BACKEND
(optional, default'eidas_node.storage.ignite.IgniteStorage'
): The backend class for communication with the light storage.OPTIONS
(required): A dictionary with configuration of the selected backend. TheIgniteStorage
backend expects following options:host
: Apache Ignite service host.port
: Apache Ignite service port.request_cache_name
: The cache to retrieve light requests (e.g.,specificNodeConnectorRequestCache
).response_cache_name
: The cache to store light responses (e.g.,nodeSpecificConnectorResponseCache
).timeout
: A timeout for socket operations in seconds.
CONNECTOR_SERVICE_PROVIDER
Settings for the interaction with Service Provider. A dictionary with following items:
ENDPOINT
(required): The URL where the Service Provider expects authentication responses.CERT_FILE
(optional, defaultNone
): The path of a certificate to verify the signature of Service Provider's authentication requests.REQUEST_ISSUER
(required): The expected issuer of the Service Provider's authentication request.RESPONSE_ISSUER
(required): The issuer of the authentication response registered at Service Provider.COUNTRY_PARAMETER
(optional, defaultcountry
): The name of a POST parameter containing citizen country code for/CitizenCountrySelector
and/ServiceProviderRequest
views.RESPONSE_SIGNATURE
(dictionary, required, use{}
to disable signing): Options for signing SAML responses returned to Service Provider:KEY_FILE
(required, string): The path to a signing key.CERT_FILE
: (required, string): The path to the corresponding certificate.SIGNATURE_METHOD
(optional, string, defaultRSA_SHA512
): XML signature method.DIGEST_METHOD
(optional, string, defaultSHA512
): XML digest method.
RESPONSE_ENCRYPTION
(dictionary, required, use{}
to disable encryption): Options for encrypting SAML responses returned to Service Provider:CERT_FILE
: (required, string): The path to the certificate to encrypt a generated encryption key.ENCRYPTION_METHOD
(optional, string, defaultAES256_GCM
): XML encryption method.AES256_GCM
,AES192_GCM
, andAES168_GCM
are available with libxmlsec1 >= 1.2.27.AES256_CBC
,AES192_CBC
,AES168_CBC
, andTRIPLEDES_CBC
are supported by older libxmlsec1 but should not be used without consideration of possibly severe security risks.KEY_TRANSPORT
(optional, string, defaultRSA_OAEP_MGF1P
): XML key transport method.RSA
(RSA Version 1.5) andRSA_OAEP_MGF1P
(RSA-OAEP with MGF1-SHA1 as a mask generation function) are supported.
RESPONSE_VALIDITY
(int, optional, default 10): The validity of the SAML response in minutes.
CONNECTOR_EIDAS_NODE
Settings for the interaction with eIDAS Node. A dictionary with following items:
CONNECTOR_REQUEST_URL
(required): The URL where eIDAS Node expects authentication requests (e.g.,https://test.example.net/EidasNode/SpecificConnectorRequest
).REQUEST_ISSUER
(required): The issuer for light requests specified in eIDAS Node configuration.
CONNECTOR_ALLOWED_ATTRIBUTES
A set containing URI names (strings, e.g. 'http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier'
) of attributes that a service provider can request.
Other attributes are dropped from the authentication request.
All eIDAS natural and legal person attributes are enabled by default.
An empty set disables the filter.
CONNECTOR_SELECTOR_COUNTRIES
A list of pairs with country code and name to be displayed in citizen country selector (/CitizenCountrySelector
).
Default is all 28 countries of EU.
CONNECTOR_TRACK_COUNTRY_CODE
Optional boolean, disabled by default.
If enabled, CONNECTOR_AUXILIARY_STORAGE
must be set too.
Once enabled, the country code of the request is logged along with the status of the corresponding request.
CONNECTOR_AUXILIARY_STORAGE
An auxiliary storage to hold some response metadata needed during request processing.
It is required if CONNECTOR_TRACK_COUNTRY_CODE
is enabled.
A dictionary with following items:
BACKEND
(optional, default'eidas_node.storage.ignite.AuxiliaryIgniteStorage'
): The backend class for communication with the light storage.OPTIONS
(required): A dictionary with configuration of the selected backend. TheAuxiliaryIgniteStorage
backend expects following options:host
: Apache Ignite service host.port
: Apache Ignite service port.cache_name
: The cache to store the data.prefix
: The prefix for cache keys (optional).timeout
: A timeout for socket operations.
Customization
You can customize the authorization flow by subclassing view classes in eidas_node.connector.views
, overriding necessary methods and adjusting URL configuration.
Copyright
- The django-eidas-specific-node project:
- Copyright 2019 CZ.NIC, z. s. p. o.
- License: GPL-3+
- Country flags:
- Copyright 2013 Panayiotis Lipiridis
- License: MIT
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for eidas_node-0.9.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 85ac987bcb5d9a531ffb24101fc3d4e6642004b4166f7acbf8868bd27a95b1cb |
|
MD5 | 16069a6c34efd0abaee15c90ccc89e28 |
|
BLAKE2b-256 | c282535dd4454031558bc4e3075c0912c97ebd5b6fadd7797e58cff6a320be82 |