That's the repo. https://github.com/eosc-kc/fedservice
However, the python code was found to be useless in our case, because it's not aligned with the latest version of the oidc federation spec.
We coded - following a similar approach - the needed RP and Intermediate parties, which can be found here: https://github.com/eosc-kc/oidc-federation-entities
Support filtering of entities imported from SAML aggregates by whitelisting/blacklisting entityIds. The realm admin should be able to supply whitelists/blacklists through the SAML aggregate configuration UI.
The keycloak instance implementing the 1st federation approach can be found here: https://eosc-kc.aai-dev.grnet.gr
It has two realms, the "master" and the "EOSC".
We should now register it in eduGAIN federation.
Realm admins should be able to disable automatic updates for specific entities.
Two approaches:
Extend (individual) IdP configuration to allow disabling automatic updates (automatic updates should be enabled by default when the IdP is configured via remote XML metadata URL)
Extend saml aggregate configuration to allow specifying IdPs that should be excluded from the automatic update process
When configuring a SAML metadata aggregate it should be possible to specify filters for including and/or excluding entities based on:
Entity Category (e.g. Research and Scholarship, Sirtfi, GÉANT Data Protection Code of Conduct)
Entity type, i.e. IdP, SP or Attribute Authority
Identity Federation: Typically this information is specified in the mdrpi:registrationAuthority attribute in the md:EntityDescriptor element of the entity’s metadata (see eduGAIN SAML Profile)
=== 1 Entity category filtering
Example for including REFEDS R&S, GEANT DPCoCo and Sirtfi
Attribute Name="http://macedir.org/entity-category-support"
Attribute value=[
"http://refeds.org/category/research-and-scholarship",
"http://www.geant.net/uri/dataprotection-code-of-conduct/v1"
]
Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification"
Attribute value=[
"https://refeds.org/sirtfi"
]
=== 2 Entity type
=== 3 Entity type
To filter entities based on their identity federation it should be possible to specify include/exclude lists for matching the registrationAuthority. E.g.
Realm administrator should be able to configure the periodic renewal of the current Acceptable Use Policy (AUP or Terms & Conditions). Effectively, users will be required to renew their acceptance of the AUP following the configured period (e.g. every 12 months). Users who don't renew their acceptance should be put in grace period after which they should be removed from the user database (or set their status to expired)
In a previous telco, i performed a short demonstration of our OP-enabled keycloak, along with a simple RP and a set of dummy intermediates, just to showcase how a oidc client can be registered to keycloak using the "explicit registration" described in the oidc federation specification. The relying party and the federation intermediates were setup with the use of https://github.com/eosc-kc/oidc-federation-entities
Need to extend the keycloak's current db model to hold saml federation properties.
Create the federation entity, with a one-to-many relationship with IdentityProviderEntity and a many-to-one relationship with the RealmEntity
create entitiy, relationships
create a changeset for the database changes
Proposed fields :
String url
String alias
String providerId ( saml-federation or oidc-federation )
Integer updateEveryHours
Integer totalIdps
Integer addedIdps
Long created
Long lastUpdated
RealmEntity realm
Set skipEntities
Set erroneousEntities ( entities that failed to add in database)
Send a federation url,the IdPs type, an alias name for the federation , a "refresh every X hours" parameter and an idp skip-list (entityID list). This will result into having the federation along with its IdPs saved into the database.
Keycloak does not allow controlling theAllowCreate (see Section 3.4.1.1 in https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) in AuthN requests. The IdentityProvider configuration needs to be extended to allow overriding the current behaviour which is not consistent with the SAML core spec where AllowCreate defaults to false.