Add engineblock parameters for SBS integration

roles/engineblock/defaults/main.yml

@@ -16,6 +16,7 @@ engine_api_feature_consent_listing: 1
 engine_api_feature_consent_remove: 0
 engine_api_feature_metadata_api: 1
 engine_api_feature_deprovision: 1
+engine_feature_enable_sbs_interrupt: 0
 
 # Cutoff point for showing unfiltered IdPs on the WAYF
 engine_wayf_cutoff_point_for_showing_unfiltered_idps: 50
@@ -67,6 +68,12 @@ engine_minimum_execution_time_on_invalid_received_response: 5000
 engine_time_frame_for_authentication_loop_in_seconds: 60
 engine_maximum_authentication_procedures_allowed: 5
 
+# maximum number of outstandig AuthN requests per session; exceeding this results in a 429
+engine_max_authn_per_session: 30
+
+# timeout when doing external queries (e.g., to PDP, AA, SBS)
+engine_http_client_timeout: 10
+
 # This PCRE regex is used to blacklist incoming AuthnContextClassRef attributes on. If an empty string is used
 # the validation is skipped. The validator will throw an exception if the used regex is invalid.
 engine_stepup_authn_context_class_ref_blacklist_regex: '/http:\/\/{{ base_domain | regex_escape }}\/assurance\/loa[1-3]/'
@@ -86,6 +93,14 @@ engine_stepup_gateway_sfo_sso_location: "https://{{ engine_stepup_gateway_domain
 # The public key from the Stepup Gateway IdP
 engine_stepup_gateway_sfo_public_key_file: "{{ engine_keys.default.publicFile }}"
 
+# SBS interrupt settings
+engine_sbs_base_url: "sbs.{{ base_domain }}"
+engine_sbs_attributes_allowed:
+  - 'urn:mace:dir:attribute-def:eduPersonEntitlement'
+  - 'urn:mace:dir:attribute-def:uid'
+  - 'urn:mace:dir:attribute-def:eduPersonPrincipalName'
+  - 'urn:oid:1.3.6.1.4.1.24552.500.1.1.1.13'
+
 ## The minimum priority of messages that will be logged
 engine_logging_passthru_level: NOTICE
 

roles/engineblock/templates/parameters.yml.j2

@@ -147,6 +147,11 @@ parameters:
     ## The value for guest qualifier. Can be overridden for specific environments
     addgueststatus_guestqualifier: '{{ guest_qualifier | default('') }}'
 
+    ## the timeout used when querying external sources (PDP, AA, etc)
+    http_client.timeout: {{ engine_http_client_timeout | int }}
+    ## maximum number of simultaneous open authentications per session (exceed this, and receive a 429)
+    maximum_authentications_per_session: {{ engine_max_authn_per_session | int }}
+
     ## Language cookie settings
     cookie.path: {{ cookie_path | default('/') }}
     cookie.secure: true
@@ -230,6 +235,7 @@ parameters:
     feature_enable_consent: {{ engine_feature_enable_consent | bool | to_json }}
     feature_stepup_sfo_override_engine_entityid: {{ engine_feature_stepup_override_entityid | bool | to_json }}
     feature_enable_idp_initiated_flow: {{ engine_feature_idp_initiated_flow | bool | to_json }}
+    feature_enable_sram_interrupt: {{ engine_feature_enable_sbs_interrupt | bool | to_json }}
     ##########################################################################################
     ## PROFILE SETTINGS
     ##########################################################################################
@@ -307,3 +313,14 @@ parameters:
     # used in the authentication log record. The attributeName will be searched in the response attributes and if present
     # the log data will be enriched. The values of the response attributes are the final values after ARP and Attribute Manipulation.
     auth.log.attributes: {{ engineblock_log_attributes }}
+
+    ##########################################################################################
+    ## SBS external authorization/attribute enrichtment
+    ##########################################################################################
+    sram.api_token: "{{ engine_sbs_api_token | default('') }}"
+    sram.base_url: "https://{{ engine_sbs_base_url }}/api/users/"
+    sram.authz_location: "authz_eb"
+    sram.attributes_location: "attributes_eb"
+    sram.interrupt_location: "interrupt"
+    sram.verify_peer: true
+    sram.allowed_attributes: {{ engine_sbs_attributes_allowed }}