EngineBlock integration
Most up to dat flow is described here: https://github.com/OpenConext/OpenConext-engineblock/issues/1804
Sequence diagram
EB will only interact with SRAM if the SP is a SRAM-Service. SRAM-services are a different type of entity in Manage and will be included in the push to EB by Manage.
EB will interact with SRAM after the aggregation of additional attributes and before the Policy Decision Point is consulted. See https://github.com/OpenConext/OpenConext-engineblock/blob/main/library/EngineBlock/Corto/Filter/Input.php#L92
The call from EB to SRAM is a basic authentication secured backend call (e.g. server to server). If the answer from SRAM is an interrupt, then EB will redirect to the specified redirect_url with a base64 encoded XML document in the signed_user form parameter containing the uid of the user and the service identifier. The document needs to be signed in order for SRAM to verify and trust the XML content.
sequenceDiagram
actor User
participant SRAM Service
participant OIDC-NG
participant EngineBlock
participant Identity Provider
participant Attribute Aggregation
participant SRAM
participant PdP
User->>SRAM Service: Visits
SRAM Service->>OIDC-NG: Authorization URL
OIDC-NG->>EngineBlock: SAML Authn Request Redirect
EngineBlock->>EngineBlock: Service-IdP Matrix
EngineBlock->>EngineBlock: Show WAYF
EngineBlock->>Identity Provider: Redirect to SingleSignOnService
Identity Provider->>EngineBlock: SAML Authn Response
EngineBlock->>EngineBlock: Sanitise IdP attributes
Note right of EngineBlock: Validations against Manage conf
EngineBlock->>EngineBlock: Attribute manipulations
EngineBlock->>Attribute Aggregation: ARP and User attributes
Note right of EngineBlock: External ARP Sources?
Attribute Aggregation->>EngineBlock: Aggregated attributes
EngineBlock->>SRAM: Backchannel POST with user attributes
Note right of EngineBlock: Is SRAM service?
SRAM->>SRAM: Check valid User-Service
SRAM->>SRAM: Create response
Note left of SRAM: Interrupt / unauthorised reason?
SRAM->>EngineBlock: Result: authorised / interrupt / unauthorised
Note left of SRAM: Extra user attributes returned
EngineBlock->>SRAM: POST redirect to redirect_url if not authorised
Note right of EngineBlock: Signed XML with user_id
SRAM->>SRAM: agree AUP / perform 2MFA
SRAM->>EngineBlock: Redirect back to EB continue_url
EngineBlock->>PdP: User attributes
Note right of EngineBlock: PdP decision required?
PdP->>EngineBlock: Policy decision
EngineBlock->>EngineBlock: Apply ARP
EngineBlock->>OIDC-NG: SAML Authn Response
OIDC-NG->>SRAM Service: Redirect URL
Note right of SRAM Service: code
SRAM Service->>OIDC-NG: Token endpoint
Note right of SRAM Service: Backend channel
OIDC-NG->>SRAM Service: JWT token
SRAM Service->>OIDC-NG: User Info Endpoint
OIDC-NG->>SRAM Service: JSON User attributes
SRAM Service->>User: 🙏🏻
The backchannel POST from EB to SRAM with JSON payload:
{
"user_id":"[email protected]",
"service_id":"https://entity_if_of_service",
"issuer_id":"https://entity_id_of_authenticating_idp"
}
The results from SRAM to EB:
{
"status": {
"result": "authorized / interrupt / unauthorized",
"redirect_url": "https://test.sram.surf.nl/interrupt?key=value",
"error_status": "1 / 2 3 / 4 / 97 / 98 / 99 / 100 / 101",
"info": "USER_UNKNOWN / USER_IS_SUSPENDED / SERVICE_UNKNOWN / SERVICE_NOT_CONNECTED / NEW_FREE_RIDE_USER / MISSING_ATTRIBUTES / AUP_NOT_AGREED / SERVICE_AUP_NOT_AGREED / SECOND_FA_REQUIRED"
},
"attributes": {
"eduPersonEntitlement": ["[email protected]", "[email protected]"],
"eduPersonPrincipalName": ["[email protected]"],
"uid": ["test_user"],
"sshkey": ["ssh_key1", "ssh_key2"]
}
}The attributes are only included if the result equals authorized.**
TODO- align with implementation. See https://github.com/OpenConext/OpenConext-engineblock/blob/feature/sram-interrupt/sbs-stub/sbs.py
The continue_url is the URL where SRAM will redirect the user back when the user has agreed with AUP's or performed 2FA.
%%{init: {'theme':'forest'}}%%
sequenceDiagram
actor user as user User
participant app as Application
participant eb as Engineblock
participant sbsbe as SBS<br/>Backend
participant sbsfe as SBS<br/>Frontend
participant nonces as SBS<br/>nonces
user ->> app: Visits
app ->> eb: Authn request
eb ->> eb: filters
eb -->> sbsbe: /authz<br/>uid, continue_url<br/>service_id, issuer_id
sbsbe ->> sbsbe: checks
note right of sbsbe: skip or<br/>interrupt?
alt skip
sbsbe --> eb: skip, attributes
eb ->> eb: StepUp<br/>Consent
else interrupt
sbsbe -->> nonces: uid, continue_url<br/>service_id, issuer_id
sbsbe -->> eb: interrupt, nonce
eb ->> sbsfe: /interrupt<br/>nonce
nonces -->> sbsfe: uid, continue_url<br/>service_id, issuer_id
sbsfe ->> sbsfe: tasks
note right of sbsfe: mfa<br/>aup's
sbsfe ->> eb: /{continue_url}
eb -->> sbsbe: /attributes<br/>nonce
nonces -->> sbsbe: uid, service_id
sbsbe ->> sbsbe: CO's
note right of sbsbe: uid/service_id<br/>CO membership
sbsbe -->> eb: attributes
eb ->> eb: StepUp<br/>Consent
end
eb ->> app: Authn response
app ->> user: Return
PlantUML source //www.plantuml.com/plantuml/png/dLCxZzim3DxrAuWijoJ87XJjFT2ElI6uJWOEait4WcrA5QcY3_I_LvPInKsG3gU9uFVWHoQ-Pz51uZIgtdO81-V4kEzAh8m87-be2Stesc6xVzo39S5Zq6AneMSFHhDb-AO9FZjgaPLknGLOlJ265MY6c0g5bCn-mEh1-z6sIUmeWzhxYYq6PGoDQXr9S2Eiqk267dKx87KPPCC6gpJ3dq9YB_03gawBJW7nnA2SCEEbL6fE1vltSv0TVB5iXLMgvnQQ7Jn4wGa2Vet8ej3yxH_iA1WuTr8hfzd1LYVwpuQYxTOmPxSKyJM6iQ6IzDLsAdFXB6fxR0TMv0GXs6Cl2jBZmNfm8TVpnKE8NZwej1xCJ7KCBlhCAlHYMjBbzXgqIB0c2dAcdCFl1VsBR-Z94ID9Dir-9zSwxyAwt6m7L-kjuRpUTPfgjouEvpJbLqftgvI6AgM0y6wpgOF_UzSgMHYBvg5ilpplwKq7NMiT_LqXrWkNb6b-JVbhEVft9bpy_ZdDY1EIyCKgvcgL6rUhRa_FTpUp9_bsgSulAM32oM3WtleRssnEzc_vUsZlayC_7mRxcLK-emGbXbBtIH6dyGy0