Authentication and Authorisation for Research and Collaboration

SaToSa Training
Training by AARC

https://aarc-project.eu
Summary and Actions

✓ Training:
▪ What is SaToSa
▪ How to Install
▪ How to Configure
▪ directory
▪ Proxy_conf and internal_attributes
▪ Saml2
▪ OIDC
▪ Plugins & social
▪ How to extend (MS)

https://aarc-project.eu 2
Summary and Actions

✓ Training:
▪ What is SaToSa
▪ How to Install
▪ How to Configure
▪ directory
▪ Proxy_conf and internal_attributes
▪ Saml2
▪ OIDC
▪ Plugins & social
▪ How to extend (MS)
▪ How to start

https://aarc-project.eu 3
What is SaToSa

• A configurable proxy for translating between

different authentication protocols
• Allows the manipulation of attributes and flows
• Based on Python3
• Easy to config

https://aarc-project.eu 4
Many to one

• Many SP to a single
IdP

https://aarc-project.eu 5
One to many

• One
• Multiple Idp
• Require a Discovery service

https://aarc-project.eu 6
SAML2 to Social Login

• From SAML2 to Social Login

• One plugin for each social
account

https://aarc-project.eu 7
Translator OIDC - SAML2

SaTosa allows translation between different protocols

• OpenID Connect <-> SAML2
• SAML2 <-> OpenID Connect

Later, we will see how to do that

https://aarc-project.eu 8
What is SaToSa

Authentication protocols:
• SAML2
• OpenID Connect
• OAuth2
• Social Network (Facebook, Google, OrcID…)

Use Cases
• SAML2<->SAML2
• SAML2<->Social logins
• SAML2<->OIDC
• OIDC<->SAML2

https://aarc-project.eu 9
Summary and Actions

✓ Training:
▪ What is SaToSa
▪ How to Install
▪ How to Configure
▪ directory
▪ Proxy_conf and internal_attributes
▪ Saml2
▪ OIDC
▪ Plugins & social
▪ How to extend (MS)
▪ How to start

https://aarc-project.eu 10
How to install

• Two ways:
• Docker
• Manual installation
• Manual installation (First way)
i. Install dependencies: apt-get install libffi-dev libssl-dev xmlsec1
ii. Download the SATOSA proxy project as a compressed archive and unpack it to <satosa_path>.
iii. Install the application: “pip install <satosa_path>”
• Manual installation (“lazy” way)
• “Pip install satosa”
• Docker is the recommended way of running the proxy
• LINK: https://hub.docker.com/r/satosa/satosa/

https://aarc-project.eu 11
Docker command

Docker pull command:

Docker pull satosa/satosa
docker run
-p <port on host>:<proxy_port>
-v <host directory>:<data_dir>
-e DATA_DIR=<data_dir>
-e PROXY_PORT=<proxy_port>
[-e METADATA_DIR=<metadata_dir>]
satosa/satosa

https://aarc-project.eu 12
Summary and Actions

✓ Training:
▪ What is SaToSa
▪ How to Install
▪ How to Configure
▪ Directory
▪ Proxy_conf and internal_attributes
▪ Saml2
▪ OIDC
▪ Plugins & social
▪ How to extend (MS)
▪ How to start

https://aarc-project.eu 13
What is SaToSa / Example directory

•Proxy.conf
•Internal_attributes.yaml
• plugins/
• Backends/
• Saml2_backends.yaml
• Google_backends.yaml
• Facebook_backends.yaml
• ..._backends.yaml
• Frontends/
• Openid_connect_frontend.yaml
• saml2_frontend.yaml
• Microservices/
• Account_linking.yaml
• ldap_attributes.yaml

https://aarc-project.eu 14
File hierarchy

https://aarc-project.eu 15
Proxy_conf

• Configuration file. It points to all satosa files and

modules
• Provide list of directory/file path, to enable any
module
• Frontend
• Backend
• Microservices
• Plugins

https://aarc-project.eu 16
Internal Attributes

• Map every internal attributes

• Every internal attribute has a map of profiles, which in turn
has a list of external attributes names which should be
mapped to the internal attributes
• multiple external attributes are specified under a profile
• “User_id_from_attrs” override user identifier generated by
the backend module with a list of internal attribute names
• “User_id_to_attr” store the user identifier in a specific
internal attribute

https://aarc-project.eu 17
Plugins

• Divided into:
• frontends, receiving requests from clients
• backends, sending requests to target providers
• Micro_services, allows the management and manipulation of attributes
• Require usually 3 parameters:
• Module, module file path
• Name, unique name to identify this plugin
• Config, provide variable to make plugin work correctly
• plugins are customizable

https://aarc-project.eu 18
Saml2 Plugin

• SAML2 frontend acts as a SAML Identity Provider (IdP)

• SAML2 backend acts as a SAML Service Provider (SP), making authentication requests to SAML Identity
Providers (IdP)
• The SAML2 frontend comes in 3 different flows:
• “SAMLMirrorFrontend” module, mirrors each target provider as a separate entity in the SAML metadata
SP -> optional discovery service -> selected proxy SAML entity -> target IdP
• “SAMLFrontend” module, acts like a single IdP, and hides all target providers
SP -> proxy SAML SSO location -> target IdP
• SAML frontend can also further restrict the attribute release

https://aarc-project.eu 19
Saml2 Plugin\Parameters

https://aarc-project.eu 20
Saml2 Frontend - Backend Plugin\Metadata

Metadata from local file:

"metadata":
local: [idp.xml]
Metadata from remote URL:
"metadata": {
"remote":
https://example.org/simplesaml/module.php/aggregator/ : null
}
Metadata from remote mdq:
"metadata": {
"mdq":
https://example.disco.org: null
}
https://aarc-project.eu 21
Saml2 Frontend Plugin\Example(1/3)

https://aarc-project.eu 22
Saml2 Frontend Plugin\Example(2/3)

https://aarc-project.eu 23
Saml2 Frontend Plugin\Example(3/3)

https://aarc-project.eu 24
Saml2 backend Plugin\Example(1/2)

https://aarc-project.eu 25
Saml2 backend Plugin\Example(2/2)

https://aarc-project.eu 26
OIDC Plugin

• OpenID Connect backend acts as an OpenID Connect Relying Party (RP), making
authentication requests to OpenID Connect Provider (OP)
• supports discovery and dynamic client registration
• OpenID Connect frontend acts as and OpenID Connect Provider (OP), accepting requests
from OpenID Connect Relying Parties (RPs).
• this plugin is NOT stateless

https://aarc-project.eu 27
OpenID Frontend\Example

https://aarc-project.eu 28
OpenID Backend\Example

https://aarc-project.eu 29
Social login

• Social login plugins can be used as backends for the proxy, allowing the proxy to act as a
client to the social login services.
• Available social:
• Google
• Facebook
• Github
• Linkedin
• OrcID
• Oauth

https://aarc-project.eu 30
Summary and Actions

✓ Training:
▪ What is SaToSa
▪ Who is SaToSa
▪ How to Install
▪ How to Configure
▪ directory
▪ Proxy_conf and internal_attributes
▪ Saml2
▪ OIDC
▪ Plugins & social
▪ How to extend (MS)
▪ How to start

https://aarc-project.eu 31
Micro services

• Micro services allow additional behaviour, configured inside proxy.

• Two different types of micro services:
• request micro services, which are applied to the incoming request
• response micro services, which are applied to the incoming response from the target provider.
• Bundled micro services in SaToSa:
• AddStaticAttributes
• FilterAttributeValues
• DecideBackendByRequester
• DecideIfRequesterIsAllowed
• Account linking
• User consent management
• LDAP attribute store

https://aarc-project.eu 32
Custom plugins

• It's possible to write custom plugins which can be loaded by SaToSa

• Depending on which type of plugin it is, it has to inherit from the correct base class and
implement the specified methods:
• Frontends must inherit satosa.frontends.base.FrontendModule
• Backends must inherit satosa.backends.base.BackendModule
• Request micro services must inherit satosa.micro_services.base.RequestMicroService
• Response micro services must inherit satosa.micro_services.base.ResponseMicroService

https://aarc-project.eu 33
Summary and Actions

✓ Training:
▪ What is SaToSa
▪ Who is SaToSa
▪ How to Install
▪ How to Configure
▪ directory
▪ Proxy_conf and internal_attributes
▪ Saml2
▪ OIDC
▪ Plugins & social
▪ How to extend (MS)
▪ How to start

https://aarc-project.eu 34
Generate metadata

• Proxy metadata is generated based on the front-/backend plugins listed in

proxy_conf.yaml using the satosa-saml-metadata
• installed globally by SATOSA installation
• satosa-saml-metadata <path to proxy_conf.yaml> <path to key for signing> <path to cert
for signing>

https://aarc-project.eu 35
Running proxy application

• SATOSA proxy is a Python WSGI application and so it requires to be run using any WSGI
compliant web server.
• Different solutions:
• Using Gunicorn
• Using Apache HTTP Server and mod_wsgi

https://aarc-project.eu 36
Gunicorn

• Python WSGI HTTP Server for UNIX

• Often proxied by a full featured general purpose web server(Nginx or Apache) for:
• to help buffer slow clients
• To enable more sophisticated error page rendering
• To handle SSL sessions
• Start with the following command:
• gunicorn -b<socket address> satosa.wsgi:app --keyfile=<https key> --certfile=<https cert>

https://aarc-project.eu 37
Apache HTTP Server and mod_wsgi

• Full guide available at the following link:

• https://github.com/IdentityPython/SATOSA/blob/master/doc/mod_wsgi.md

https://aarc-project.eu 38
Thank you
Any Questions?

https://aarc-project.eu

© GÉANT on behalf of the AARC project.

The work leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 730941 (AARC2).
https://aarc-project.eu