Django implementation of member specific Connector and Proxy Service for CEF eIDAS Node version 2.4 and later.
- Django 2.2.x
- Django AppSettings >= 0.5
- lxml
- xmlsec
- Apache Ignite Python client (optional)
See CHANGELOG.md for changes.
Sample settings are provided in samples/proxy_service_settings.py
.
To use eIDAS Proxy Service, adjust Django settings:
- Set up Django template engine and static files.
- Add
'eidas_node.proxy_service.apps.ProxyServiceConfig'
toINSTALLED_APPS
. - Set
ROOT_URLCONF
to'eidas_node.proxy_service.urls'
or include it in your URL configuration. - Provide mandatory configuration options
PROXY_SERVICE_REQUEST_TOKEN
,PROXY_SERVICE_RESPONSE_TOKEN
,PROXY_SERVICE_LIGHT_STORAGE
, andPROXY_SERVICE_IDENTITY_PROVIDER
(see below).
Settings of a light token corresponding to an incoming light request. A dictionary with following items:
HASH_ALGORITHM
(optional, default'sha256'
): A hash algorithm used for token digest.SECRET
(required): A token secret shared with eIDAS node.ISSUER
(required): An issuer of the light token.LIFETIME
(optional, default10
): A lifetime of the light token in minutes until is its considered expired. Set to0
for unlimited lifetime.PARAMETER_NAME
(optional, default'token'
): The name of the HTTP POST parameter to provide encoded light token.
Settings of a light token corresponding to an outgoing light response. A dictionary with following items:
HASH_ALGORITHM
(optional, default'sha256'
): A hash algorithm used for token digest.SECRET
(required): A token secret shared with eIDAS node.ISSUER
(required): An issuer of the light token.PARAMETER_NAME
(optional, default'token'
): The name of the HTTP POST parameter to provide encoded light token.
Settings for a storage of light requests and responses. A dictionary with following items:
BACKEND
(optional, default'eidas_node.storage.ignite.IgniteStorage'
): The backend class for communication with the light storage.OPTIONS
(required): A dictionary with configuration of the selected backend. TheIgniteStorage
backend expects following options:host
: Apache Ignite service host.port
: Apache Ignite service port.request_cache_name
: The cache to retrieve light requests (e.g.,nodeSpecificProxyserviceRequestCache
).response_cache_name
: The cache to store light responses (e.g.,specificNodeProxyserviceResponseCache
).timeout
: A timeout for socket operations.
Settings for the interaction with Identity Provider. A dictionary with following items:
ENDPOINT
(required): The URL where the Identity Provider expects authentication requests.REQUEST_ISSUER
(required): The issuer of the authentication request registered at Identity Provider.KEY_SOURCE
(optional, defaultNone
): The source ('file' or 'engine') of a key to decrypt Identity Provider's authentication response.KEY_LOCATION
(optional, defaultNone
): The path of a key to decrypt Identity Provider's authentication response.CERT_FILE
(optional, defaultNone
): The path of a certificate to verify the signature of Identity Provider's authentication response.REQUEST_SIGNATURE
(dictionary, required, use{}
to disable signing): Options for signing SAML requests sent to Service Provider:KEY_SOURCE
(required, string): The source ('file' or 'engine') of a signing key.KEY_LOCATION
(required, string): The path to a signing key.CERT_FILE
: (required, string): The path to the corresponding certificate.SIGNATURE_METHOD
(optional, string, defaultRSA_SHA512
): XML signature method.DIGEST_METHOD
(optional, string, defaultSHA512
): XML digest method.
Settings for the interaction with eIDAS Node. A dictionary with following items:
PROXY_SERVICE_RESPONSE_URL
(required): The URL where eIDAS Node expects authentication responses (e.g.,https://test.example.net/EidasNode/SpecificProxyServiceResponse
).RESPONSE_ISSUER
(required): The issuer for light responses specified in eIDAS Node configuration.
Optional boolean, disabled by default.
If enabled, PROXY_SERVICE_AUXILIARY_STORAGE
must be set too.
If the transient name ID format is requested in the request but a different format is provided in the response, a new random transient ID is generated instead of the provided ID.
Optional boolean, disabled by default.
If enabled, PROXY_SERVICE_AUXILIARY_STORAGE
must be set too.
Once enabled, the country code of the request is logged along with the status of the corresponding request.
An auxiliary storage to hold some response metadata needed during request processing.
It is required if PROXY_SERVICE_TRACK_COUNTRY_CODE
or PROXY_SERVICE_TRANSIENT_NAME_ID_FALLBACK
is enabled.
A dictionary with following items:
BACKEND
(optional, default'eidas_node.storage.ignite.AuxiliaryIgniteStorage'
): The backend class for communication with the light storage.OPTIONS
(required): A dictionary with configuration of the selected backend. TheAuxiliaryIgniteStorage
backend expects following options:host
: Apache Ignite service host.port
: Apache Ignite service port.cache_name
: The cache to store the data.prefix
: The prefix for cache keys (optional).timeout
: A timeout for socket operations.
An optional mapping of Authentication Context Classes (str
) to Levels of Assurance (eidas_node.constants.LevelOfAssurance
).
The default mapping is empty so other classes than Levels of Assurance are unrecognized and propagated as an error. Example:
from eidas_node.constants import LevelOfAssurance
PROXY_SERVICE_LEVELS_OF_ASSURANCE = {
'urn:oasis:names:tc:SAML:2.0:ac:classes:Password': LevelOfAssurance.LOW,
}
You can customize the authorization flow by subclassing view classes in eidas_node.proxy_service.views
, overriding necessary methods and adjusting URL configuration.
eidas_node.proxy_service.cznia
(ROOT_URLCONF = 'eidas_node.proxy_service.cznia.urls'
) contains modifications required for CZ NIA (the official identity provider of the Czech Republic) with following settings:
PROXY_SERVICE_STRIP_PREFIX
(boolean, optional, defaultFalse
): If the Subject ID starts with a'CZ/CZ/'
prefix, it is stripped.
Sample settings are provided in samples/connector_settings.py
.
To use eIDAS Connector, adjust Django settings:
- Set up Django template engine and static files.
- Add
'eidas_node.connector.apps.ConnectorConfig'
toINSTALLED_APPS
. - Set
ROOT_URLCONF
to'eidas_node.connector.urls'
or include it in your URL configuration. - Provide mandatory configuration options
CONNECTOR_REQUEST_TOKEN
,CONNECTOR_RESPONSE_TOKEN
,CONNECTOR_LIGHT_STORAGE
, andCONNECTOR_SERVICE_PROVIDER
(see below).
Setting ROOT_URLCONF
to eidas_node.connector.urls
will provide you with three main views:
-
/CountrySelector
: Accepts a SAML Request and Relay State from Service Provider and lets user select his/her country unless it has already been provided. The SAML Request is then forwarded to/ServiceProviderRequest
endpoint.- Method: HTTP POST.
- POST Parameters:
SAMLRequest
(required): A SAML request to forward to eIDAS Network.RelayState
(required): A relay state.country
or the value set inCONNECTOR_SERVICE_PROVIDER['COUNTRY_PARAMETER']
(optional): Citizen country code.
-
/ServiceProviderRequest
: Accepts a SAML Request, Relay State and citizen country code from Service Provider and forwards the request to eIDAS Network.- Method: HTTP POST.
- POST Parameters:
SAMLRequest
(required): A SAML request to forward to eIDAS Network.RelayState
(required): A relay state.country
or the value set inCONNECTOR_SERVICE_PROVIDER['COUNTRY_PARAMETER']
(required): Citizen country code.
-
/ConnectorResponse
: Accepts a light token from eIDAS Network and forwards corresponding light response to Service Provider.- Method: HTTP POST.
- POST Parameters:
token
or the value set inCONNECTOR_RESPONSE_TOKEN['PARAMETER_NAME']
(required): A light token corresponding to a light response.
Setting ROOT_URLCONF
to eidas_node.connector.demo.urls
will provide you with two additional views:
/DemoServiceProviderRequest
: A demo service provider page for sending preset SAML requests to Specific Connector./DemoServiceProviderResponse
: A demo service provider page for displaying SAML responses from Specific Connector.
Settings of a light token corresponding to an outgoing light request. A dictionary with following items:
HASH_ALGORITHM
(optional, default'sha256'
): A hash algorithm used for token digest.SECRET
(required): A token secret shared with eIDAS node.ISSUER
(required): An issuer of the light token.PARAMETER_NAME
(optional, default'token'
): The name of the HTTP POST parameter to provide encoded light token.
Settings of a light token corresponding to an incoming light response. A dictionary with following items:
HASH_ALGORITHM
(optional, default'sha256'
): A hash algorithm used for token digest.SECRET
(required): A token secret shared with eIDAS node.ISSUER
(required): An issuer of the light token.PARAMETER_NAME
(optional, default'token'
): The name of the HTTP POST parameter to provide encoded light token.LIFETIME
(optional, default10
): A lifetime of the light token in minutes until is its considered expired. Set to0
for unlimited lifetime.
Settings for a storage of light requests and responses. A dictionary with following items:
BACKEND
(optional, default'eidas_node.storage.ignite.IgniteStorage'
): The backend class for communication with the light storage.OPTIONS
(required): A dictionary with configuration of the selected backend. TheIgniteStorage
backend expects following options:host
: Apache Ignite service host.port
: Apache Ignite service port.request_cache_name
: The cache to retrieve light requests (e.g.,specificNodeConnectorRequestCache
).response_cache_name
: The cache to store light responses (e.g.,nodeSpecificConnectorResponseCache
).timeout
: A timeout for socket operations in seconds.
Settings for the interaction with Service Provider. A dictionary with following items:
ENDPOINT
(required): The URL where the Service Provider expects authentication responses.CERT_FILE
(optional, defaultNone
): The path of a certificate to verify the signature of Service Provider's authentication requests.REQUEST_ISSUER
(required): The expected issuer of the Service Provider's authentication request.RESPONSE_ISSUER
(required): The issuer of the authentication response registered at Service Provider.COUNTRY_PARAMETER
(optional, defaultcountry
): The name of a POST parameter containing citizen country code for/CitizenCountrySelector
and/ServiceProviderRequest
views.RESPONSE_SIGNATURE
(dictionary, required, use{}
to disable signing): Options for signing SAML responses returned to Service Provider:KEY_SOURCE
(required, string): The source ('file' or 'engine') to a signing key.KEY_LOCATION
(required, string): The path to a signing key.CERT_FILE
: (required, string): The path to the corresponding certificate.SIGNATURE_METHOD
(optional, string, defaultRSA_SHA512
): XML signature method.DIGEST_METHOD
(optional, string, defaultSHA512
): XML digest method.
RESPONSE_ENCRYPTION
(dictionary, required, use{}
to disable encryption): Options for encrypting SAML responses returned to Service Provider:CERT_FILE
: (required, string): The path to the certificate to encrypt a generated encryption key.ENCRYPTION_METHOD
(optional, string, defaultAES256_GCM
): XML encryption method.AES256_GCM
,AES192_GCM
, andAES168_GCM
are available with libxmlsec1 >= 1.2.27.AES256_CBC
,AES192_CBC
,AES168_CBC
, andTRIPLEDES_CBC
are supported by older libxmlsec1 but should not be used without consideration of possibly severe security risks.KEY_TRANSPORT
(optional, string, defaultRSA_OAEP_MGF1P
): XML key transport method.RSA
(RSA Version 1.5) andRSA_OAEP_MGF1P
(RSA-OAEP with MGF1-SHA1 as a mask generation function) are supported.
RESPONSE_VALIDITY
(int, optional, default 10): The validity of the SAML response in minutes.
Settings for the interaction with eIDAS Node. A dictionary with following items:
CONNECTOR_REQUEST_URL
(required): The URL where eIDAS Node expects authentication requests (e.g.,https://test.example.net/EidasNode/SpecificConnectorRequest
).REQUEST_ISSUER
(required): The issuer for light requests specified in eIDAS Node configuration.
A set containing URI names (strings, e.g. 'http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier'
) of attributes that a service provider can request.
Other attributes are dropped from the authentication request.
All eIDAS natural and legal person attributes are enabled by default.
An empty set disables the filter.
A list of pairs with country code and name to be displayed in citizen country selector (/CitizenCountrySelector
).
Default is all 28 countries of EU.
Optional boolean, disabled by default.
If enabled, CONNECTOR_AUXILIARY_STORAGE
must be set too.
Once enabled, the country code of the request is logged along with the status of the corresponding request.
An auxiliary storage to hold some response metadata needed during request processing.
It is required if CONNECTOR_TRACK_COUNTRY_CODE
is enabled.
A dictionary with following items:
BACKEND
(optional, default'eidas_node.storage.ignite.AuxiliaryIgniteStorage'
): The backend class for communication with the light storage.OPTIONS
(required): A dictionary with configuration of the selected backend. TheAuxiliaryIgniteStorage
backend expects following options:host
: Apache Ignite service host.port
: Apache Ignite service port.cache_name
: The cache to store the data.prefix
: The prefix for cache keys (optional).timeout
: A timeout for socket operations.
You can customize the authorization flow by subclassing view classes in eidas_node.connector.views
, overriding necessary methods and adjusting URL configuration.
- The django-eidas-specific-node project:
- Copyright 2019 CZ.NIC, z. s. p. o.
- License: GPL-3+
- Country flags:
- Copyright 2013 Panayiotis Lipiridis
- License: MIT