Add configuration for fallback GSSP

The configuration for the fallback GSSP is static and stored in https://github.com/OpenConext/Stepup-Gateway/tree/main/config/openconext

The gateway currently has a dynamic list of GSSPs configured. See for example the `azuremfa` GSSP configuration in https://github.com/OpenConext/Stepup-Gateway/blob/main/config/openconext/samlstepupproviders.yaml#L51-L70 and the corresponding https://github.com/OpenConext/Stepup-Gateway/blob/main/config/openconext/samlstepupproviders_parameters.yaml.dist#L58-L90 for the parameters.

Does it make sense to reuse this configuration for the fallback GSSP or do we want to add new configuration for this?
* For the usecase of the fallback GSSP there is no need for having the `hosted`.`identity_provider` because this is the identity provider on the gateway that proxies GSSP requests from Stepup-SelfService and Stepup-RA. Having it there is not harmful, it would allow selfservice and the RA to send AuthnRequests to it that validate.
* In this usecase we will be reusing an existing GSSP, so there will be no difference.
* There is other configuration to enable / disable GSSP's, not adding the GSSP proxy SP in any of these locations may be sufficient to disable the proxy for the GSSP:
   * https://github.com/OpenConext/Stepup-Gateway/blob/main/config/openconext/samlstepupproviders.yaml#L51-L70
   * There is "double" configuration of the GSSP proxy SPs in the middleware-configuration: https://github.com/OpenConext/OpenConext-devconf/blob/main/stepup/middleware/middleware-config.json#L131-L158

If we use the [samlstepupproviders.yaml](https://github.com/OpenConext/Stepup-Gateway/blob/main/config/openconext/samlstepupproviders.yaml) for the configuration then we can reference the GSSP by it's ID   parameters.yaml:

Proposed way forward (TODO: discuss):
* Add the fallback GSSP to the [samlstepupproviders.yaml](https://github.com/OpenConext/Stepup-Gateway/blob/main/config/openconext/samlstepupproviders.yaml), with possibly a dummy `hosted`.`identity_provider` configuration. When the GSSP does double duty as we want to do with AzureMFA, this does not apply.
* Add the other configuration to the [parameters.yml](https://github.com/OpenConext/Stepup-Gateway/blob/main/config/openconext/parameters.yaml.dist):
```yaml
    # The GSSP ID from samlstepupproviders.yaml to use as fallback GSSP
    # Set fallback_gssp to false to disable the fallback_gssp functionality
    # fallback_gssp: false
    fallback_gssp: 'azuremfa'

    # The user attribute to use in the Subject of the AuthnRequest to the fallback GSSP
    fallback_gssp_subject_attribute: 'urn:mace:dir:attribute-def:mail'
```

If the user's institution must be retrieved from an attribute too (see discussion at: https://github.com/OpenConext/Stepup-Gateway/issues/441?issue=OpenConext%7CStepup-Gateway%7C442)
```yaml
    # The user attribute to use to determine the user's home institution
    fallback_gssp_institution_attribute: 'urn:mace:terena.org:attribute-def:schacHomeOrganization'
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add configuration for fallback GSSP #443

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Add configuration for fallback GSSP #443

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions