Skip to content

Commit

Permalink
Centralise loa definitions for most apps in group_vars
Browse files Browse the repository at this point in the history
For most apps this sufficices since they only need the list of externally
published LoA urls (PDP, Dashboard, Manage, OIDC(playground)..)

EB remains special because it has an intricate config which maps different
values to others and also references EB internal constants while it's at
it. Might be refactored further sometime.
  • Loading branch information
thijskh committed Apr 26, 2023
1 parent e42e14c commit 6c218fd
Show file tree
Hide file tree
Showing 12 changed files with 27 additions and 30 deletions.
8 changes: 1 addition & 7 deletions environments/template/group_vars/template.yml
Original file line number Diff line number Diff line change
Expand Up @@ -382,14 +382,11 @@ oidcng:
api_user: manage
key_rollover_cron_expression: "0 0 0 * * *"
acr_values_supported:
- http://{{ base_domain }}/assurance/loa1
- http://{{ base_domain }}/assurance/loa2
- http://{{ base_domain }}/assurance/loa3
- https://eduid.nl/trust/validate-names
- https://eduid.nl/trust/linked-institution
- https://eduid.nl/trust/affiliation-student
- https://refeds.org/profile/mfa
default_acr_value: http://{{ base_domain }}/assurance/loa1
default_acr_value: "{{ stepup_intrinsic_loa }}"
eduid_attribute_manipulation_enabled: false
consent_enabled: false
token_api_enabled: false
Expand Down Expand Up @@ -479,9 +476,6 @@ manage:
password: "{{ aa_manage_password }}",
scopes: ["READ"]
}
loa_values_supported:
- http://{{ base_domain }}/assurance/loa2
- http://{{ base_domain }}/assurance/loa3
oidc_rp_redirect_url_format: "url"

loadbalancing:
Expand Down
8 changes: 1 addition & 7 deletions environments/vm/group_vars/vm.yml
Original file line number Diff line number Diff line change
Expand Up @@ -272,14 +272,11 @@ oidcng:
api_user: manage
key_rollover_cron_expression: "0 0 0 * * *"
acr_values_supported:
- http://{{ base_domain }}/assurance/loa1
- http://{{ base_domain }}/assurance/loa2
- http://{{ base_domain }}/assurance/loa3
- https://eduid.nl/trust/validate-names
- https://eduid.nl/trust/linked-institution
- https://eduid.nl/trust/affiliation-student
- https://refeds.org/profile/mfa
default_acr_value: http://{{ base_domain }}/assurance/loa1
default_acr_value: "{{ stepup_intrinsic_loa }}"
eduid_attribute_manipulation_enabled: false
consent_enabled: false
token_api_enabled: false
Expand Down Expand Up @@ -375,9 +372,6 @@ manage:
password: "{{ aa_manage_password }}",
scopes: ["READ"]
}
loa_values_supported:
- http://{{ base_domain }}/assurance/loa2
- http://{{ base_domain }}/assurance/loa3
oidc_rp_redirect_url_format: "url"

manage_show_oidc_rp_tab: true
Expand Down
9 changes: 9 additions & 0 deletions group_vars/all.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,15 @@ logback_max_history: 7
# The manage spring_app port is used by various roles
manage_springapp_tcpport: 9393

# OpenConext Stepup Level of Assurance Identifiers
# The intrinsic loa is "LoA 1" / just first factor / no stepup required
stepup_intrinsic_loa: "http://{{ base_domain }}/assurance/loa1"
# This does not include the intrinsic loa since most apps only require the >1 loa's
stepup_loa_values_supported:
- "http://{{ base_domain }}/assurance/loa1.5"
- "http://{{ base_domain }}/assurance/loa2"
- "http://{{ base_domain }}/assurance/loa3"

mfa_values_supported:
- "http://schemas.microsoft.com/claims/multipleauthn"
- "https://refeds.org/profile/mfa"
Expand Down
6 changes: 3 additions & 3 deletions roles/dashboard-server/templates/application.properties.j2
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ guestidp.entityids={{ dashboard.guestidp_entityids }}
# tabs that can be hidden are: statistics,apps,policies,tickets,my_idp and user_invite
dashboard.hide_tabs={{ dashboard_hide_tabs }}

default_loa_level={{ manage.loa_values_supported[0] }}
loa_values_supported={% for loa in manage.loa_values_supported %}{{ loa }}{{ "," if not loop.last else ""}} {% endfor %}
default_loa_level={{ stepup_intrinsic_loa }}
loa_values_supported={{ stepup_loa_values_supported | join(",") }}

authn_context_levels={% for mfa in mfa_values_supported %}{{ mfa }}{{ "," if not loop.last else ""}} {% endfor %}
authn_context_levels={{ mfa_values_supported | join(",") }}
4 changes: 2 additions & 2 deletions roles/engineblock/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -72,11 +72,11 @@ engine_maximum_authentication_procedures_allowed: 5
engine_stepup_authn_context_class_ref_blacklist_regex: '/http:\/\/{{ base_domain | regex_escape }}\/assurance\/loa[1-3]/'
# The loa mapping from the internal used LoA's to the Stepup Gateway LOA's
engine_stepup_engineblock_loa1: "http://{{ base_domain }}/assurance/loa1"
engine_stepup_engineblock_loa1_5: "http://{{ base_domain }}/assurance/loa1_5"
engine_stepup_engineblock_loa1_5: "http://{{ base_domain }}/assurance/loa1.5"
engine_stepup_engineblock_loa2: "http://{{ base_domain }}/assurance/loa2"
engine_stepup_engineblock_loa3: "http://{{ base_domain }}/assurance/loa3"
engine_stepup_gateway_loa1: "http://{{ engine_stepup_base_domain }}/assurance/loa1"
engine_stepup_gateway_loa1_5: "http://{{ engine_stepup_base_domain }}/assurance/loa1_5"
engine_stepup_gateway_loa1_5: "http://{{ engine_stepup_base_domain }}/assurance/loa1.5"
engine_stepup_gateway_loa2: "http://{{ engine_stepup_base_domain }}/assurance/loa2"
engine_stepup_gateway_loa3: "http://{{ engine_stepup_base_domain }}/assurance/loa3"
# The EntityId (metadata URL) used in the callout to the SFO endpoint of the configured Stepup Gateway
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -457,11 +457,11 @@
"type": "string",
"format": "url",
"enum": [
{% for loa in manage.loa_values_supported %}
{% for loa in stepup_loa_values_supported %}
"{{ loa }}"{{ "," if not loop.last else ""}}
{% endfor %}
],
"default": "{{ manage.loa_values_supported[0] }}",
"default": "{{ stepup_loa_values_supported[0] }}",
"info": "Set to require Stepup Authentication for this SP with the specified minimum Level of Assurance."
},
"coin:stepup:allow_no_token": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -128,11 +128,11 @@
"string"
],
"enum": [
{% for loa in manage.loa_values_supported %}
{% for loa in stepup_loa_values_supported %}
"{{ loa }}"{{ "," if not loop.last else ""}}
{% endfor %}
],
"default": "{{ manage.loa_values_supported[0] }}"
"default": "{{ stepup_loa_values_supported[0] }}"
}
}
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -559,11 +559,11 @@
"type": "string",
"format": "url",
"enum": [
{% for loa in manage.loa_values_supported %}
{% for loa in stepup_loa_values_supported %}
"{{ loa }}"{{ "," if not loop.last else ""}}
{% endfor %}
],
"default": "{{ manage.loa_values_supported[0] }}",
"default": "{{ stepup_loa_values_supported[0] }}",
"info": "Set to require Stepup Authentication for this SP with the specified minimum Level of Assurance."
},
"coin:stepup:allow_no_token": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -471,11 +471,11 @@
"type": "string",
"format": "url",
"enum": [
{% for loa in manage.loa_values_supported %}
{% for loa in stepup_loa_values_supported %}
"{{ loa }}"{{ "," if not loop.last else ""}}
{% endfor %}
],
"default": "{{ manage.loa_values_supported[0] }}",
"default": "{{ stepup_loa_values_supported[0] }}",
"info": "Set to require Stepup Authentication for this SP with the specified minimum Level of Assurance."
},
"coin:stepup:allow_no_token": {
Expand Down
2 changes: 1 addition & 1 deletion roles/oidc-playground-server/templates/application.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,6 @@ gui:

acr:
values:
{% for loa in oidcng.acr_values_supported %}
{% for loa in [stepup_intrinsic_loa] + stepup_loa_values_supported + oidcng.acr_values_supported %}
- "{{ loa }}"
{% endfor %}
2 changes: 1 addition & 1 deletion roles/oidcng/templates/openid-configuration.json.j2
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"acr_values_supported": [
{% for loa in oidcng.acr_values_supported %}
{% for loa in [stepup_intrinsic_loa] + stepup_loa_values_supported + oidcng.acr_values_supported %}
"{{ loa }}"{{ "," if not loop.last else ""}}
{% endfor %}
],
Expand Down
2 changes: 1 addition & 1 deletion roles/pdp-server/templates/application.properties.j2
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ logging.level.pdp: DEBUG
# In a multi master database setup toggle which machine is reponsible for cron jobs
pdpCronJobResponsible= {{ pdp_cronjobmaster }}

loa.levels=http://{{ base_domain }}/assurance/loa1_5,http://{{ base_domain }}/assurance/loa2,http://{{ base_domain }}/assurance/loa3
loa.levels={{ stepup_loa_values_supported | join(",") }}

management.health.mail.enabled=true
management.endpoints.web.exposure.include=health,info
Expand Down

0 comments on commit 6c218fd

Please sign in to comment.