-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
25 changed files
with
2,500 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
coverage: | ||
precision: 2 | ||
round: down | ||
range: "40...100" | ||
status: | ||
project: | ||
default: | ||
target: auto | ||
threshold: 5% |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# To get started with Dependabot version updates, you'll need to specify which | ||
# package ecosystems to update and where the package manifests are located. | ||
# Please see the documentation for all configuration options: | ||
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates | ||
|
||
version: 2 | ||
updates: | ||
- package-ecosystem: maven # See documentation for possible values | ||
directory: "/" # Location of package manifests | ||
schedule: | ||
interval: "weekly" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
name: CI | ||
on: | ||
push: | ||
branches: | ||
- '**' | ||
pull_request: | ||
types: [opened, synchronize, reopened] | ||
workflow_dispatch: {} | ||
jobs: | ||
test: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
steps: | ||
- uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- uses: actions/setup-java@v3 | ||
with: | ||
java-version: '17' | ||
distribution: 'adopt' | ||
|
||
- name: Run tests | ||
run: mvn test | ||
|
||
#- name: Create Jacoco report | ||
# run: mvn -f ./core org.jacoco:jacoco-maven-plugin:0.8.8:report -Djacoco.dataFile="$(readlink -f ./tests/target/jacoco.exec)" | ||
|
||
- name: Cache SonarCloud packages | ||
uses: actions/cache@v3 | ||
with: | ||
path: ~/.sonar/cache | ||
key: ${{ runner.os }}-sonar | ||
restore-keys: ${{ runner.os }}-sonar | ||
|
||
- name: Cache Maven packages | ||
uses: actions/cache@v3 | ||
with: | ||
path: ~/.m2 | ||
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | ||
restore-keys: ${{ runner.os }}-m2 | ||
|
||
- name: Build and analyze | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | ||
run: "mvn -B verify --no-transfer-progress" # org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=opdt_keycloak-extension-bundid |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
name: Release | ||
on: | ||
push: | ||
tags: '**' | ||
workflow_dispatch: {} | ||
jobs: | ||
publish: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v3 | ||
- name: Install gpg secret key | ||
id: install-secret-key | ||
run: | | ||
# Install gpg secret key | ||
cat <(echo -e "${{ secrets.gpg_private_key }}") | gpg --batch --import | ||
# Verify gpg secret key | ||
gpg --list-secret-keys --keyid-format LONG | ||
- name: Set up Maven Central Repository | ||
uses: actions/setup-java@v4 | ||
with: | ||
java-version: '17' | ||
distribution: 'adopt' | ||
server-id: ossrh | ||
server-username: MAVEN_USERNAME | ||
server-password: MAVEN_PASSWORD | ||
- name: Publish package | ||
run: | | ||
mvn --batch-mode -Dgpg.passphrase="${{ secrets.gpg_passphrase }}" -Pdeploy clean deploy | ||
env: | ||
MAVEN_USERNAME: ${{ secrets.NEXUS_USERNAME }} | ||
MAVEN_PASSWORD: ${{ secrets.NEXUS_TOKEN }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
.m2 | ||
pom.xml.versionsBackup | ||
|
||
target/ | ||
!.mvn/wrapper/maven-wrapper.jar | ||
!**/src/main/**/target/ | ||
!**/src/test/**/target/ | ||
|
||
### IntelliJ IDEA ### | ||
.idea/**/* | ||
|
||
### Eclipse ### | ||
.apt_generated | ||
.classpath | ||
.factorypath | ||
.project | ||
.settings | ||
.springBeans | ||
.sts4-cache | ||
|
||
### NetBeans ### | ||
/nbproject/private/ | ||
/nbbuild/ | ||
/dist/ | ||
/nbdist/ | ||
/.nb-gradle/ | ||
build/ | ||
!**/src/main/**/build/ | ||
!**/src/test/**/build/ | ||
|
||
### VS Code ### | ||
.vscode/ | ||
|
||
### Mac OS ### | ||
.DS_Store |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
# keycloak-extension-bundid-trustlevel | ||
|
||
## Mission | ||
|
||
Die Nutzung von *BundID* für die Identifizierung basiert auf *SAML*. Im *SAML-Request* müssen einige Einstellungen für das benötigte Vertrausniveau, die zulesenden Elemente | ||
und *DisplayInformation* abgebildet sein. Diese *Keycloak-Extension* sorgt für die Anreicherung des *SAML-Requests*. | ||
|
||
### Deklaration der angeforderten Attribute | ||
|
||
<saml2p:Extensions> | ||
<akdb:AuthenticationRequest xmlns:akdb="https://www.akdb.de/request/2018/09" Version="2"> | ||
<akdb:RequestedAttributes> | ||
<akdb:RequestedAttribute Name="urn:oid:2.5.4.18" RequiredAttribute="false" /> | ||
<akdb:RequestedAttribute Name="urn:oid:1.2.40.0.10.2.1.1.149" RequiredAttribute="true" /> | ||
<akdb:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25484.494450.3"/> | ||
... | ||
</akdb:RequestedAttributes> | ||
</akdb:AuthenticationRequest> | ||
</saml2p:Extensions> | ||
|
||
Diese Extension definiert einen eigenen IdentityProviderMapper (für das Mapping von BundID-Attributen in die Keycloak-Session): `saml-bundid-session-attribute-idp-mapper`. | ||
Dieser Mapper erlaubt zusätzlich die Angabe einer `OID` sowie ob das Feld als Pflichtattribut angefordert werden soll. | ||
Dadurch werden automatisch die o.g. `RequestedAttributes` im SAML-Request befüllt. | ||
|
||
Zur weiteren Vereinfachung gibt es zudem die Möglichkeit, den `oidc-bundid-sessionnote-mapper` (Keycloak-ProtocolMapper zum Mapping der Attribute aus der UserSession in das Token) zu nutzen. | ||
Darüber werden alle vom `saml-bundid-session-attribute-idp-mapper` in die Session gemappten Attribute (+ jeweils ein Attribut zur Angabe des zugehörigen Vertrauensniveaus) in das Token gemapped. | ||
|
||
### Anforderung minimales Vertrauensniveau | ||
|
||
<saml2p:RequestedAuthnContext Comparison="minimum"> | ||
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">STORK-QAA-Level-3</saml2:AuthnContextClassRef> | ||
</saml2p:RequestedAuthnContext> | ||
|
||
Gesteuert wird dies über das angeforderte `Level of Authentication (LoA)`, wobei hier die Werte 1 bis 4 zulässig sind. | ||
Die Anforderung von LoA erfolgt über die Keycloak Step-Up-Authentication. Weitere Infos sind der Keycloak-Dokumentation zu entnehmen. | ||
|
||
### Übergabe weiterer Pflichtattribute | ||
|
||
<saml2p:Extensions> | ||
<akdb:AuthenticationRequest xmlns:akdb="https://www.akdb.de/request/2018/09" Version="2"> | ||
<akdb:DisplayInformation> | ||
<classic-ui:Version xmlns:classic-ui="https://www.akdb.de/request/2018/09/classic-ui/v1"> | ||
<classic-ui:OrganizationDisplayName>Bundesagentur für Arbeit</classic-ui:OrganizationDisplayName> | ||
<classic-ui:OnlineServiceId>BMI-4711</classic-ui:OnlineServiceId> | ||
</classic-ui:Version> | ||
</akdb:DisplayInformation> | ||
</akdb:AuthenticationRequest> | ||
</saml2p:Extensions> | ||
|
||
Die BundID schreibt zukünftig die Übergabe weiterer Pflichtattribute vor: | ||
- Organization Display Name (wird dem Nutzer vor Rücksprung zum Service Provider angezeigt) | ||
- Online Service ID (der für den Service Provider durch das BSI vergebene Identifier) | ||
|
||
Die Werte für diese Attribute werden über Keycloak-Konfigurationsparameter definiert (hier als ENV-Variable angegeben, kann aber analog sonstiger Keycloak-Konfiguration auch anders gesetzt werden): | ||
- `KC_SPI_SAML_AUTHENTICATION_PREPROCESSOR_BUNDID_PROTOCOL_ONLINE_SERVICE_ID` | ||
- `KC_SPI_SAML_AUTHENTICATION_PREPROCESSOR_BUNDID_PROTOCOL_ORGANIZATION_DISPLAY_NAME` |
Oops, something went wrong.