Skip to content
This repository has been archived by the owner on Jan 9, 2025. It is now read-only.
/ oidc-fed Public archive

Example implementation of model for OpenID Connect federations.

License

Apache-2.0 license
4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

its-dirg/oidc-fed

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

57 Commits
model-doc @ ae08863
model-doc @ ae08863
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
.travis.yml
.travis.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
setup.py
setup.py
 
 
tox.ini
tox.ini
 
 

Repository files navigation

Federation operator

  1. Create a private RSA key (with openssl: openssl genrsa -out private.pem <keylen>)
  2. Create a public and private JWK from the RSA key: 
    oidc-fed/src/services/utils/rsa_key_to_jwk.py <hostname> private.pem
  3. Issue new software statements with the private JWK using oidc-fed/src/services/fo/fo.py: 
     oidc-fed/src/services/fo/fo.py <entity_data>.json <hostname>.jwk

Make sure to give the public JWK, <hostname>.pub.jwk, together with the software statement to any new parties joining the federation.

Identity Provider Operator

  1. Get a software statement and public JWK from all federations that the IdP should be part of. Make sure it includes the correct URL as issuer.
  2. Create a private RSA key (with openssl: openssl genrsa -out private.pem <keylen>)
  3. Convert it to a JWK with 
    oidc-fed/src/services/utils/rsa_key_to_jwk.py <hostname> private.pem

If you want to use an existing SAML IdP

The SATOSA proxy can be used to integrate an existing SAML IdP into a OpenID Connect federation.

  1. Configure the SATOSA proxy, see the installation instructions first:
  2. For the frontend, acting as an OP, copy oidc-fed/src/oidc_fed/satosa/oidc-fed_frontend.yaml.example 1. Add the private JWK (<hostname>.jwk) created with rsa_key_to_jwk.py under the key root_key_jwk. 1. Add all software statements under the key software_statements. 1. Add all federation keys under the key federations_jwk
  3. For the backend, acting as a SAML SP towards your IdP, see the instructions.

If you want to setup a standalone OP

  1. Use the provider implementation bundled with the project (oidc-fed/src/services/op/op.py):
    1. Install the library and the dependencies:
    pip install . -r oidc-fed/src/services/requirements.txt
    1. Copy the example files:
    cp oidc-fed/src/services/op/app_config.py.example oidc-fed/src/services/op/app_config.py
cp oidc-fed/src/services/op/config.yaml.example oidc-fed/src/services/op/config.yaml
  2. Get a key and certificate for SSL/TLS (or create a self-signed certificate).
  3. Configure the provider in oidc-fed/src/services/op/config.yaml:
    1. Add the private JWK (<hostname>.jwk) created with rsa_key_to_jwk.py under the key root_key_jwk.
    2. Add all software statements under the key software_statements.
    3. Add all federation JWK's under the key federations_jwk
  4. Configure the web app in oidc-fed/src/services/op/app_config.py:
    1. Specify the path to the YAML file created in the above step in PROVIDER_CONFIG.
    2. Specify the SERVER_NAME. Make sure that the host name (and optional port) matches the one in the issuer URL in the software statement(s).
    3. Specify the SSL/TLS key and cert in HTTPS_KEY and HTTPS_CERT respectively.
  5. Run the provider: 
    OIDCFED_PROVIDER_CONFIG=<path to app_config.py.example> oidc-fed/src/services/op/op.py

Relying Party Operator

  1. Get a software statement and public JWK from all federations that the RP should be part of. Make sure it contains the correct redirect_uris.
  2. Create a private RSA key (with openssl: openssl genrsa -out private.pem <keylen>)
  3. Convert it to a JWK with 
    oidc-fed/src/services/utils/rsa_key_to_jwk.py <hostname> private.pem

If you want to setup a standalone RP

  1. Use the relying party implementation bundled with the project (oidc-fed/src/services/rp/rp.py):
    1. Install the library and the dependencies:
    pip install . -r oidc-fed/src/services/requirements.txt
    1. Copy the example files:
    cp oidc-fed/src/services/rp/app_config.py.example oidc-fed/src/services/rp/app_config.py
cp oidc-fed/src/services/rp/config.yaml.example oidc-fed/src/services/rp/config.yaml
  2. Get a key and certificate for SSL/TLS (or create a self-signed certificate).
  3. Configure the relying party in oidc-fed/src/services/rp/config.yaml:
    1. Add the private JWK (<hostname>.jwk) created with rsa_key_to_jwk.py under the key root_key_jwk.
    2. Add all software statements under the key software_statements.
    3. Add all federation JWK's under the key federations_jwk
  4. Configure the web app in oidc-fed/src/services/rp/app_config.py:
    1. Specify the path to the YAML file created in the above step in PROVIDER_CONFIG.
    2. Specify the SERVER_NAME. Make sure that the software statement(s) includes https://<server_name>/finish as a redirect_uri.
    3. Specify the SSL/TLS key and cert in HTTPS_KEY and HTTPS_CERT respectively.
  5. Run the relying party 
    OIDCFED_RELYING_PARTY_CONFIG=<path to app_config.py.example> oidc-fed/src/services/rp/rp.py

If you want to use a native app for Android

  1. Coming soon...

About

Example implementation of model for OpenID Connect federations.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

4 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages