Skip to content

Commit

Permalink
Initial commit
Browse files Browse the repository at this point in the history
Signed-off-by: opdt <[email protected]>
  • Loading branch information
opdt committed Sep 16, 2024
0 parents commit 0befe97
Show file tree
Hide file tree
Showing 25 changed files with 2,500 additions and 0 deletions.
9 changes: 9 additions & 0 deletions .github/codecov.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
coverage:
precision: 2
round: down
range: "40...100"
status:
project:
default:
target: auto
threshold: 5%
11 changes: 11 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:
- package-ecosystem: maven # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "weekly"
48 changes: 48 additions & 0 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: CI
on:
push:
branches:
- '**'
pull_request:
types: [opened, synchronize, reopened]
workflow_dispatch: {}
jobs:
test:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0

- uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'adopt'

- name: Run tests
run: mvn test

#- name: Create Jacoco report
# run: mvn -f ./core org.jacoco:jacoco-maven-plugin:0.8.8:report -Djacoco.dataFile="$(readlink -f ./tests/target/jacoco.exec)"

- name: Cache SonarCloud packages
uses: actions/cache@v3
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar

- name: Cache Maven packages
uses: actions/cache@v3
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2

- name: Build and analyze
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: "mvn -B verify --no-transfer-progress" # org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=opdt_keycloak-extension-bundid
34 changes: 34 additions & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: Release
on:
push:
tags: '**'
workflow_dispatch: {}
jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install gpg secret key
id: install-secret-key
run: |
# Install gpg secret key
cat <(echo -e "${{ secrets.gpg_private_key }}") | gpg --batch --import
# Verify gpg secret key
gpg --list-secret-keys --keyid-format LONG
- name: Set up Maven Central Repository
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'adopt'
server-id: ossrh
server-username: MAVEN_USERNAME
server-password: MAVEN_PASSWORD
- name: Publish package
run: |
mvn --batch-mode -Dgpg.passphrase="${{ secrets.gpg_passphrase }}" -Pdeploy clean deploy
env:
MAVEN_USERNAME: ${{ secrets.NEXUS_USERNAME }}
MAVEN_PASSWORD: ${{ secrets.NEXUS_TOKEN }}
35 changes: 35 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
.m2
pom.xml.versionsBackup

target/
!.mvn/wrapper/maven-wrapper.jar
!**/src/main/**/target/
!**/src/test/**/target/

### IntelliJ IDEA ###
.idea/**/*

### Eclipse ###
.apt_generated
.classpath
.factorypath
.project
.settings
.springBeans
.sts4-cache

### NetBeans ###
/nbproject/private/
/nbbuild/
/dist/
/nbdist/
/.nb-gradle/
build/
!**/src/main/**/build/
!**/src/test/**/build/

### VS Code ###
.vscode/

### Mac OS ###
.DS_Store
56 changes: 56 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# keycloak-extension-bundid-trustlevel

## Mission

Die Nutzung von *BundID* für die Identifizierung basiert auf *SAML*. Im *SAML-Request* müssen einige Einstellungen für das benötigte Vertrausniveau, die zulesenden Elemente
und *DisplayInformation* abgebildet sein. Diese *Keycloak-Extension* sorgt für die Anreicherung des *SAML-Requests*.

### Deklaration der angeforderten Attribute

<saml2p:Extensions>
<akdb:AuthenticationRequest xmlns:akdb="https://www.akdb.de/request/2018/09" Version="2">
<akdb:RequestedAttributes>
<akdb:RequestedAttribute Name="urn:oid:2.5.4.18" RequiredAttribute="false" />
<akdb:RequestedAttribute Name="urn:oid:1.2.40.0.10.2.1.1.149" RequiredAttribute="true" />
<akdb:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25484.494450.3"/>
...
</akdb:RequestedAttributes>
</akdb:AuthenticationRequest>
</saml2p:Extensions>

Diese Extension definiert einen eigenen IdentityProviderMapper (für das Mapping von BundID-Attributen in die Keycloak-Session): `saml-bundid-session-attribute-idp-mapper`.
Dieser Mapper erlaubt zusätzlich die Angabe einer `OID` sowie ob das Feld als Pflichtattribut angefordert werden soll.
Dadurch werden automatisch die o.g. `RequestedAttributes` im SAML-Request befüllt.

Zur weiteren Vereinfachung gibt es zudem die Möglichkeit, den `oidc-bundid-sessionnote-mapper` (Keycloak-ProtocolMapper zum Mapping der Attribute aus der UserSession in das Token) zu nutzen.
Darüber werden alle vom `saml-bundid-session-attribute-idp-mapper` in die Session gemappten Attribute (+ jeweils ein Attribut zur Angabe des zugehörigen Vertrauensniveaus) in das Token gemapped.

### Anforderung minimales Vertrauensniveau

<saml2p:RequestedAuthnContext Comparison="minimum">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">STORK-QAA-Level-3</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>

Gesteuert wird dies über das angeforderte `Level of Authentication (LoA)`, wobei hier die Werte 1 bis 4 zulässig sind.
Die Anforderung von LoA erfolgt über die Keycloak Step-Up-Authentication. Weitere Infos sind der Keycloak-Dokumentation zu entnehmen.

### Übergabe weiterer Pflichtattribute

<saml2p:Extensions>
<akdb:AuthenticationRequest xmlns:akdb="https://www.akdb.de/request/2018/09" Version="2">
<akdb:DisplayInformation>
<classic-ui:Version xmlns:classic-ui="https://www.akdb.de/request/2018/09/classic-ui/v1">
<classic-ui:OrganizationDisplayName>Bundesagentur für Arbeit</classic-ui:OrganizationDisplayName>
<classic-ui:OnlineServiceId>BMI-4711</classic-ui:OnlineServiceId>
</classic-ui:Version>
</akdb:DisplayInformation>
</akdb:AuthenticationRequest>
</saml2p:Extensions>

Die BundID schreibt zukünftig die Übergabe weiterer Pflichtattribute vor:
- Organization Display Name (wird dem Nutzer vor Rücksprung zum Service Provider angezeigt)
- Online Service ID (der für den Service Provider durch das BSI vergebene Identifier)

Die Werte für diese Attribute werden über Keycloak-Konfigurationsparameter definiert (hier als ENV-Variable angegeben, kann aber analog sonstiger Keycloak-Konfiguration auch anders gesetzt werden):
- `KC_SPI_SAML_AUTHENTICATION_PREPROCESSOR_BUNDID_PROTOCOL_ONLINE_SERVICE_ID`
- `KC_SPI_SAML_AUTHENTICATION_PREPROCESSOR_BUNDID_PROTOCOL_ORGANIZATION_DISPLAY_NAME`
Loading

0 comments on commit 0befe97

Please sign in to comment.