-
Notifications
You must be signed in to change notification settings - Fork 13
Open
Description
Overview
The configuration of Openconext-Stepup is stored in Stepup-Middleware. The configuration is pushed as JSON to a REST endpoint of this component.
The current configuration consists of three parts:
- Whitelist
- The list of institutions (schacHomeOrganization) allowed to use the self-service portal.
- Included in the
stepup-institutionscollection.
- Config
- The email templates (to Middleware).
- Data of the services allowed to use Stepup-Gateway as a SAML IdP, currently only SFO endpoints.
- New collection:
sfo. - Schema.
- New collection:
- Institution
- The settings per affiliated institution.
- This becomes the
stepup-institutionscollection.
Display in Manage
- 1 extra tab in the main menu:
Stepup - 2 sub-tabs:
sfo,institutions
Stepup Middleware endpoints
https://{{ middleware_vhost_name }}/management/configurationhttps://{{ middleware_vhost_name }}/management/institution-configurationhttps://{{ middleware_vhost_name }}/management/whitelist/replace
Changes in Stepup-Middleware
sfo collection
{
"entity_id": "http://institution.tld/stepup-mfa",
"public_key": "MIID...",
"acs": [
"https://institution.tld:443/adfs/"
],
"loa": {
"__default__": "{{ stepup_uri_loa2 }}"
},
"assertion_encryption_enabled": false,
"second_factor_only": true,
"second_factor_only_nameid_patterns": [
"urn:collab:person:uva.nl:*"
],
"blacklisted_encryption_algorithms": []
}- loa: enum, 1 value
- acs: 1 value
- blacklisted_encryption_algorithms: array of strings
stepup-institutions collection
{
"identifier": "institution.tld",
"use_ra_locations": true,
"show_raa_contact_information": true,
"verify_email": true,
"allowed_second_factors": ["yubikey", "webauthn", "azuremfa"],
"number_of_tokens_per_identity": 3,
"use_ra": ["institution.tld", "other.tld"],
"use_raa": ["institution.tld"],
"select_raa": ["institution.tld"],
"self_vet": true,
"allow_self_asserted_tokens": false,
"sso_on_2fa": false,
"stepup-client" : "full"
}-
use_ra,use_raa, andselect_raavalidate against identifiers from this collection. -
Field
Stepup-clientper IdP, enum with values:freeriderorfull. -
allowed_second_factors: enum with values 'azuremfa',
yubikey,tiqr,webauthnandsms
Checklist
- Create schemas (re-use
MetaDataand auto-generateentityid - GUI tabs and menu
- Server-side validation (hook)
- Config in Manage endpoints
- Push everything, no distinction between components
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
No labels
Type
Projects
Status
In Progress