-
Notifications
You must be signed in to change notification settings - Fork 7
OIDCSAMLMetadata
(Under construction, for upcoming v3.0.0)
The plugin v2.1.0 provides a new facility to register OAuth2/OIDC services in SAML metadata. In comparison to the previously existing (JSON) format, all the same configuration options are available. The full specification is described in detail in the OAuthRPMetadataProfile specification (currently restricted).
For loading the metadata, all the options described in Shibboleth IdP V4 - Metadata Configuration are available.
As described above, the keyInfoProvidersRef attribute for metadata node processor controls how public keys and client secrets are resolved from SAML metadata. The default one (shibboleth.oidc.DefaultKeyInfoProviders) enables all the methods described in the next two subsections. In all cases, the public key or client secret for an RP is obtained from the KeyDescriptor element of its EntityDescriptor:
<EntityDescriptor ...>
<SPSSODescriptor xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0" protocolSupportEnumeration="http://openid.net/specs/openid-connect-core-1_0.html">
<KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
</ds:KeyInfo>
The trusted public keys can be resolved in the four following ways:
The following example adds the JWKS to the trusted JWKS:
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>mockJwkId</ds:KeyName>
<oidcmd:JwksData>
ewogICJrdHkiOiAiUlNBIiwKICAiZSI6ICJBUUFCIiwKICAia2lkIjogIm1vY2siLAogICJhbGci
OiAiUlMyNTYiLAogICJuIjogInBKcHRScnpyRlhEUnBaWkdpRmc1eW9KeVRPMlphUENSNEcwbjEx
aUVSclBTdlVYX202Qmdvak5qVEZISk1pa19pbGhtVzY0Q3JLdGlMdklRTFF6VWV5RXdDZHdYZVB3
UVpNeEV4VDJPV2thQy1DV0ZJNHR4X2VFWGRkUGtja1NMRERhMEVQd3dzWktQUFhoRTNWNTBfZ3pW
VDJZQVRvRE9fMmoyeGpWcHFzU0dFc0xpYjZqLW52dFpVVV9CMHNHeUppR1ZzMkpUTmhCTVNrT2tR
Zks2NkNCcW1sbzBuUE5NYVIxbWl2dG5JUG1aNnJKVHcwUDVZZ0dFS1hmZjBsa25Ib25ZVmRsVktw
c0Q4VW5hY0JzdFlyeUhsM0NQR2Uyc3RmR2ExZ3N6NEdIVGVfRnlWVk04UlNoQ2dYVVo3MTdoenpf
ekdQaVhDQkw0ZktEek5ZUXpIUSIKfQo=</oidcmd:JwksData>
The contents must be Base64-encoded JSON string, so the example above in decoded form is the following:
{
"kty": "RSA",
"e": "AQAB",
"kid": "mock",
"alg": "RS256",
"n": "pJptRrzrFXDRpZZGiFg5yoJyTO2ZaPCR4G0n11iERrPSvUX_m6BgojNjTFHJMik_ilhmW64CrKtiLvIQLQzUeyEwCdwXePwQZMxExT2OWkaCCWFI4tx_eEXddPkckSLDDa0EPwwsZKPPXhE3V50_gzVT2YAToDO_2j2xjVpqsSGEsLib6jnvtZUU_B0sGyJiGVs2JTNhBMSkOkQfK66CBqmlo0nPNMaR1mivtnIPmZ6rJTw0P5YgGEKXff0lknHonYVdlVKpsD8UnacBstYryHl3CPGe2stfGa1gsz4GHTe_FyVVM8RShCgXUZ717hzz_zGPiXCBL4fKDzNYQzHQ"
}
This method is enabled by including the bean with class org.geant.idpextension.keyinfo.ext.impl.provider.InlineJwksProvider in the list of enabled methods.
The following example sets the URI for the remote JWKS to https://example.org/jwks:
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>mockJwksUri</ds:KeyName>
<oidcmd:JwksUri>https://example.org/jwks</oidcmd:JwksUri>
</ds:KeyInfo>
This method is enabled by including the bean with class org.geant.idpextension.keyinfo.ext.impl.provider.JWKSReferenceProvider in the list of enabled methods.
The following example adds the public key to the trusted JWKS, with key identifier mockRSA:
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>mockRSA</ds:KeyName>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
AMP1p7GwPH64UPvBKD4DK0I6SDY7dtFPzL7L5qAIEJwIBBeDmLfVY/f9mLzDuDb19XzQxc6GEcjj
K8qRe7JAD3CE1IXXD0hKSOJ7H+chWS84iv7UNukbHHBO1oaRgfHh7vbX7HnpYMoqKK75rfiQqD9e
XOa2FLiH1QvnhLGKJcN+OKujetTgAhxE7ski9Gtfhhbt1qCEl7XtaUCLLexyrwWxx+NRxFgMU+nt
IZQ+T8ii+JQSWnRh14PGc+K9o1dp+vjse62hFprVQhhcbAKAkWpbup77NvvuTZ2+AtUhOuNHrH2I
X3jHeSWH7EzTGkPLGS6bFnYJQBqWv0POytfSyMM=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
This method is enabled by including the bean with class org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider for RSA keys and/or org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider for DSA keys in the list of enabled methods.
The following example adds public key from the attached certificate to the trusted JWKS, with key identifier mockX509RSA:
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>mockX509RSA</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>
MIIEQDCCAqigAwIBAgIVAIarXvdvyS47KJR7U40FlTufyD8vMA0GCSqGSIb3DQEB
CwUAMCAxHjAcBgNVBAMMFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0xOTA2MTcx
MTI5MTJaFw0zOTA2MTcxMTI5MTJaMCAxHjAcBgNVBAMMFWxvY2FsaG9zdC5sb2Nh
bGRvbWFpbjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALXysGFnoBFh
oasd5uMecp9OTBjvztntPUVmHfm4R3AcItEMEZEN/pETcX/wgKdo4qCBq4PrZITa
T8Salgl0XL6qF1Wia3JNA7Hh/OaoQEUsbsHgsjLMKt6MJh8vIaE1o8loL7Ay4WmZ
Cr3wc8ZS6CpMsv+qbxkyfl1h7MTydETnQhg/X83bj+BjJSh7QeFU0d0SWK1dN2/D
nFoGOfuTfVqeDRIwMxKlR5G//8N202sLaG28NljaHhLn3jHXeiGpCQ+Q2X90dkFb
EKb6sQ6SlDUAzm9MwLYjglDyOhXpUqOnvD67nggLb4Gn/4k+g5wtdfr7unOJYcHK
w7JGnI8Gd0lJMd6B3SpkhUOWgKv/D6HIBArhqSEmXuTyy8FewyYuo1XkIw/Lu3bB
9qoBojM1tygoGlKi7R7e719J+DSkhyGbMyQ59leoN97iGGgqjUWS5mew8zSNviyz
4uGqvxmLWU9UTH1YhlARsBF1bMiMnwLz7dF74AaAkC4pN3BYzDMyHQIDAQABo3Ew
bzAdBgNVHQ4EFgQUwKUd9D1Qymu2oBEVTscrAhP+sIUwTgYDVR0RBEcwRYIVbG9j
YWxob3N0LmxvY2FsZG9tYWluhixodHRwczovL2xvY2FsaG9zdC5sb2NhbGRvbWFp
bi9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAYEAEYqh54a+j5OuR1UB
/AT9k2xXVwHiqQXAC/2un8O5BWAOeOq9+0gLJO5yaJp5c9GjPXRJmnDfGP9HFF6R
CjngtRCm1gV/fpj97IRQS5oroaeTWPQ9ZD5+ogs5DNt6UZeJ2GqpfA5mOytNg3cM
OP1B5QnA1apOaG4FHTegJR7WOIXkkAjEJUy6R+5Q6At7DdK/SRrP5onVPFv2HgGF
E9v9iX/uQepDizS5F2oi6LZCl1/b38gxA8BFL7VZu53JQguaA7SrnP+dBOErT/yh
Qcx3e9wE2ms8H1qISIdl3e7gvLi5jEyDWC9Agde6EjjvVVJAF7jR0puQ39mBfoxP
moVdHJQmCt3V7Ew9tYZUpG3rjp4YNXOiM+QhtwhHWT94q9uJKUQ6JvbxgLNDs5KM
3PENx2C60TPFne9nRRIMVDavU4wwY7GdCgeo8PiZ5zxI0ZCkxh38ODePtKQrxJ7i
E0J1BE2LIxa1T7KY0XKpsH0iI2dNfZfNpNp4v/HiDb4svYgq</ds:X509Certificate>
This method is enabled by including the bean with class org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider in the list of enabled methods.
The client secret values can be read from the SAML metadata in the following ways:
The following example sets client secret value to verySecretClientSecretKeyValue1234567890.
<KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<oidcmd:ClientSecret>verySecretClientSecretKeyValue1234567890</oidcmd:ClientSecret>
</ds:KeyInfo>
</KeyDescriptor>
This method is enabled by including the bean with class org.geant.idpextension.keyinfo.ext.impl.provider.ClientSecretProvider in the list of enabled methods.
The following example sets client secret reference to secretReference1.
<KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<oidcmd:ClientSecretKeyReference>secretReference1</oidcmd:ClientSecretKeyReference>
</ds:KeyInfo>
</KeyDescriptor>
This method is enabled by including the bean with class org.geant.idpextension.keyinfo.ext.impl.provider.ClientSecretReferenceProvider in the list of enabled methods. The bean must be fed with a list of desired resolution methods. Two are currently available:
1. Resolution via property file
The .properties file containing the client secrets can be configured via idp.oidc.metadata.clientSecretProperties in the IdP configuration properties. For instance with the following file:
secretReference1 = verySecretClientSecretKeyValue1234567890
secretReference2 = verySecretClientSecretKeyValue0987654321
The client secret value would be resolved to verySecretClientSecretKeyValue1234567890.
2. Resolution via resolver service
TODO
(Migrated)