WIP for #535

OpenConext · Oct 31, 2024 · 0d41780 · 0d41780
1 parent 3b53bde
commit 0d41780
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -129,3 +129,8 @@ The redirect URI's for local development have to start with https. You can use t
 ```
 ngrok http --domain okke.harsta.eu.ngrok.io 8081
 ```
+
+### Running the IdP and testing localhost
+
+The [idp_metadata.xml](idp_metadata.xml) file contains the IdP metadata for localhost development. Import an IdP in Manage and
+whitelist this for the SP's you want to test with. The OIDC-Playground is capable of testing the different ACR options.
diff --git a/idp_metadata.xml b/idp_metadata.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0"?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+                     entityID="https://localhost.surf.id" validUntil="2025-10-31T07:08:35.719209603Z" cacheDuration="PT86400S">
+    <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
+                         WantAuthnRequestsSigned="true">
+        <md:KeyDescriptor use="signing">
+            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+                <ds:X509Data>
+                    <ds:X509Certificate>MIICvDCCAaQCCQCOtlEewzza9zANBgkqhkiG9w0BAQsFADAgMR4wHAYDVQQKDBVPcmdhbml6YXRpb24sIENOPU9JREMwHhcNMjIwMTI3MTA0OTQ2WhcNMjMwMTI3MTA0OTQ2WjAgMR4wHAYDVQQKDBVPcmdhbml6YXRpb24sIENOPU9JREMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMf3M9YNm1B+Db2W+04fvY9nOOM4UU8A1mQkY3m6JGwyq2Hul3LGqEJQgXwtpJhA/TOnlMQ4je9h0/vDfyT7v0exEWhykOqOPcuZ4OVmSACtUiao3VE2HiZz7kjSsSvix0+UeaouqxDcGpi4+qIrPFHFqQ8rNdl+2S4ZEzGQxqgK6n92a9Ng+mnSx21FEIu3o8rNqlTrN9mhtfoTSiVUDIWEM/1fAwt7NOzpw7GMbnV8nbSFUtEnn0oNm8H0Qqy8BAhMUHL8AZXO5Uwm+cVmVh9JQtWANfzhPD7l+DD8h7W5fi1VeLiAgo0Go0EF6z1Jk2aGTKWBQzODClF01j5NizAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAA8ttJeHPAMHduvwmvzkMjw2p0w7AptQXcqTlgBP3MAZKncn81SkO0jd0gvBTmUzt4oMiRJYnTm1ghUXNW5qK+2fjXwt5HXXz5OJGrN6A0MybOd/OXK/3Q5PHWvfLE/+zLWT67c34n0q6KDBBZheoF2SKw10s/mDJ1eHRHZIlsFmF6Z3Ll6h3fkL/0MsBOkmQ3CEtpTFpNk9lma3cnGQJ7p7t4T9iVNDSL1/fqDZPoaVzUJx39sXjb/ouCIDrXN3+ayElehQa+aXpE4KdG22j4Dm+k83OO3hujjugEAze+CeHDyy7X9c6c79bCXBU4HQK0ff0PiSxv0xpjsP3tMMr1U&#61;</ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </md:KeyDescriptor>
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
+        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+                                Location="http://localhost:8081/saml/guest-idp/SSO"/>
+    </md:IDPSSODescriptor>
+    <md:ContactPerson contactType="support">
+        <md:GivenName>Support</md:GivenName>
+        <md:SurName>OpenConext</md:SurName>
+        <md:EmailAddress>mailto:[email protected]</md:EmailAddress>
+    </md:ContactPerson>
+    <md:ContactPerson contactType="technical">
+        <md:GivenName>Support</md:GivenName>
+        <md:SurName>OpenConext</md:SurName>
+        <md:EmailAddress>mailto:[email protected]</md:EmailAddress>
+    </md:ContactPerson>
+    <md:ContactPerson contactType="administrative">
+        <md:GivenName>Support</md:GivenName>
+        <md:SurName>OpenConext</md:SurName>
+        <md:EmailAddress>mailto:[email protected]</md:EmailAddress>
+    </md:ContactPerson>
+</md:EntityDescriptor>
diff --git a/myconext-server/src/main/java/myconext/security/GuestIdpAuthenticationRequestFilter.java b/myconext-server/src/main/java/myconext/security/GuestIdpAuthenticationRequestFilter.java
@@ -456,7 +456,6 @@ private boolean checkStepUp(HttpServletResponse response, HttpServletRequest req
                 !hasStudentAffiliation;
         boolean missingValidName = !CollectionUtils.isEmpty(authenticationContextClassReferences) && authenticationContextClassReferences.contains(ACR.VALIDATE_NAMES) &&
                 !hasValidatedName(user);
-        //TODO move this to the last if/ else clause as there is no direct redirect to the aap nudge page
         if (user.isNewUser()) {
             user.setNewUser(false);
             //ensure the user is the coming 24 hours is not nudged to the app
@@ -477,7 +476,9 @@ private boolean checkStepUp(HttpServletResponse response, HttpServletRequest req
                 return true;
             }
             //we don't redirect the user to the nudge app page anymore
-            return true;
+            String url = String.format("%s?h=%s&force=true", this.magicLinkUrl, hash);
+            response.sendRedirect(url);
+            return false;
         } else if (inStepUpFlow) {
             finishStepUp(samlAuthenticationRequest);
             if (missingStudentAffiliation || missingValidName) {