Categories
Docker IdP Linux python Shibboleth SingleSignOn SSO Virtualization

pyFF – federation metadata processing at its best

As mentioned earlier I was going to replace thiss-mdq with pyFF for my SAML federation metadata query service.

Comparison thiss-mdq / pyFF

On its project site thiss-mdq describes itself as

The thiss-mdq is a minimal implementation of MDQ that only supports JSON data.

while pyFF considers itself “a SAML metadata aggregator written in python”.

Both provide the /entities/ endpoint including the search function /entities/?q=something and the /.well-known/webfinger endpoint.

The metadata (both SP and IDP) for thiss-mdq need to be available as a JSON formatted files. Most SAML metadata out there is however stored as XML. So if you don’t like to manually translate XML files to JSON, you may use pyFF for that task anyway.

Query metadata using the pyFF demon (pyffd)

In addition to the above features pyFF also allows to update retrieved metadata on a regular basis. It even allows certain modifications (signing, merging, filtering) of the provided data.

While static data could also be server by calling pyff regularly (and provide the created metadata by other means e.g. your own web server), this is not possible for the query service.

That’s what the pyffd demon is for.

pyffd can provide endpoints for multiple datasets, like:

/entities
/entities/idps
/entities/sps

And so on, each endpoint can represent its own metadata (and also make that available for searching).

There are more endpoints available:

/api/status
/api/call/{entry}
/api/resources
/api/pipeline
/api/search

Sample configuration

- when update:
    - load:
        - https://mdq.aai.dfn.de/entities
        - https://mds.edugain.org/edugain-v2.xml as edugain
        - /data/metadata/ as linuxng
    - select:
    - fork:
        # /entities/dfnaai2
        - select as dfnaai2:
             - edugain!.//md:EntitiesDescriptor[md:EntityDescriptor[md:Extensions[mdrpi:RegistrationInfo[@registrationAuthority='https://www.aai.dfn.de']]]]
        - publish: /data/dfnaai-from-edugain.xml
        - break
    - fork:
        # /entities/dfnaai
        - select as dfnaai:
             - https://mdq-test.aai.dfn.de/entities
        - publish: /data/dfnaaitest.xml
        - break
    - fork:
        # /entities/idps
        - select as idps:
             - "!//md:EntityDescriptor[md:IDPSSODescriptor]"
        - publish: /data/idps-only.xml
        - break
    - fork:
        # /entities/sps
        - select as sps:
             - "!//md:EntityDescriptor[md:SPSSODescriptor]"
        - publish: /data/sps-only.xml
        - break
    - fork:
        # /entities/mydomain
        - select:
             - mydomain
        - pubinfo:
             publisher: https://mdx.mydomain.de/
        - first
        - finalize:
             baseURL: https://mdx.mydomain.de
             Name: https://www.mydomain.de
             ID: MYDOMAIN
             cacheDuration: PT5H
             validUntil: P10D
        - sign:
             key: default.key
             cert: default.crt
        - publish: /data/mydomain-merged.xml
        - break
    - break

- when request:
    - select:
    - pipe:
        - when accept application/samlmetadata+xml application/xml:
             - xslt:
                 stylesheet: tidy.xsl
             - first
             - finalize:
                 Name: https://www.mydomain.de
                 ID: MYDOMAIN
                 cacheDuration: PT5H
                 validUntil: P10D
             - sign:
                 key: default.key
                 cert: default.crt
             - emit application/xml
             - break
        - when accept application/json:
             - discojson
             - emit application/json:
             - break

Leave a Reply

Your email address will not be published. Required fields are marked *