Skip to content

OpenConext EngineBlock Configuration

Jump to bottom Edit New page
DRvanR edited this page May 16, 2017 · 1 revision

Configuring OpenConext engineblock for Stepup

Using engine block with Stepup requires engine block 4.3.3 or above.

Engineblock version 4.3.3 and above support trusted proxies. A "trusted proxy" is a SAML proxy (here: the Stepup-Gateway) that is trusted by Engineblock to tell it what the actual Service Provider is that is authenticating to Engineblock. A trusted proxy does this using the Scoping/RequesterID element in the AuthnRequest. Engineblock uses the RequesterID in the Scoping element as the real service provider and applies the ARP and ACL of that SP in addition to the ARP and ACL of the trusted proxy, like it would for any proxy. For trusted proxyies however engineblock uses the NameID configuration and consent configuration of the SP in the RequesterID and generates the NameID in eduPersonTargetedID for that the SP, instead of using the configuration of the trusted proxy. The NameID in the Subject is always set according to the configuration of the trusted proxy.

  • Create a new SP connection in the OpenConext service registry for the Stepup-Gateway. It's EntityID is: https://gateway.tld/authentication/metadata.

    • Enable "coin:trusted_proxy"
    • Enable "redirect.sign"
    • Set ARP to "none". This allow an SP to potentially receive any attributes. The ARP of the SP will be applied to limit the attributes that it receives.
    • Set the NameID type to "unspecified". This makes the Stepup-Gateway get the OpenConext CollabID ("urn:collab:person:...") in the Subject.

  • Create a new SP connection in the OpenConext service registry for the Stepup-SelfService. It's EnityID is: https://selfservice.tld/authentication/metadata.

    • Set the ARP to:
      • TargetedID
      • Common Name
      • Email
      • SchacHomeOrganization
    • Set the NameID type to "unspecified"

  • Create a new SP connection in the OpenConext service registry for the Stepup-RA. It's EnityID is: https://ra.tld/authentication/metadata.

    • Set the ARP to:
      • TargetedID
      • Common Name
      • Email
      • SchacHomeOrganization
    • Set the NameID type to "unspecified"

  • Allow IdP that you want to be able to use Stepup access to the Gateway, SelfService and RA.

Adding other SPs

In addition to adding a SP to the Stepup-Gateway by updating the Stepup-Middleware configuration the SP must be added to OpenConext as well. Add the SP connection to OpenConext service registry like you would any other SP:

  • Set ARP, but always include TargetedID
  • Set the ACL. When allowing access to IdPs, you must allow IdPs access to the Stepup-Gateway as well otherwise EB will deny the connection.
  • If the SP will never connect to EB directly, you can omit the ACS and certificate configuration.
Add a custom footer
Add a custom sidebar
Clone this wiki locally