Implementing service provider

As mentioned in the other pages, ProxyIdP currently supports connecting services via two protocols. This page contains common practices and tips on how to implement authentication using one of these protocols.

OIDC

OpenID Connect metadata endpoint: https://login.e-infra.cz/oidc/.well-known/openid-configuration
Issuer: https://login.e-infra.cz/oidc/
Available Attributes and scopes

Recommended software:

Apache mod_auth_openidc (WebServer plugin)
oidc-client-js (JavaScript)
pyoidc (Python)
Spring Security OAuth2 (Java)

Implementing OIDC Relying Party using Apache with mod_auth_openidc

Install Apache and mod_auth_openidc, preferably from system packages, i.e. on Debian/Ubuntu by installing the packages apache2 and libapache2-mod-auth-openidc
After setting up TLS and your website, edit the virtual web server configuration in /etc/apache2/sites-enabled/*.conf and add the following directives:
OIDCProviderMetadataURL https://login.e-infra.cz/oidc/.well-known/openid-configuration OIDCProviderMetadataRefreshInterval 3600 OIDCClientID YOUR_CLIENT_ID OIDCClientSecret YOUR_CLIENT_SECRET OIDCScope "openid email profile" # encrypt cache OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\"" OIDCCacheEncrypt On # REMOTE_USER variable set from claim sub, default is sub@iss OIDCRemoteUserClaim sub # timeout for inactive session, default is 300 seconds OIDCSessionInactivityTimeout 86400 # timeout for active session, default is 28800 seconds OIDCSessionMaxDuration 86400 # non-existing URL for returning from OIDC server OIDCRedirectURI "/oauth2callback" <Location "/oauth2callback"> AuthType openid-connect Require valid-user </Location>
For directives documentation see https://github.com/OpenIDC/mod_auth_openidc/blob/master/auth_openidc.conf
Replace the YOUR_CLIENT_ID and YOUR_CLIENT_SECRET with the client_id and client_secret obtained during SP registration.
In the OIDCScope directive set the scopes that you registered for your service, e.g. add eduperson_entitlement separated by a space to the value.
Set up protection of web pages that need it, e.g.
<Location "/mywebapp/*"> AuthType openid-connect Require valid-user </Location>
If you need more complex access control, use the directive Require claim, for documentation see mod_auth_openidc Authorization and mod_authz_core RequireAll, e.g.:
<Directory /var/www/wiki> AuthType openid-connect <RequireAll> Require claim "preferred_username~.+" Require claim "eduperson_entitlement:urn:geant:cesnet.cz:group:myvo:mygroup#perun.cesnet.cz" </RequireAll> ErrorDocument 401 /not-authorized.html </Directory>

For more information about the OpenID Connect protocol or for a step-by-step guide on how to implement the OIDC Relying Part please look at our presentation.

For manual on how to connect your service to the AAI, visit: registration service provider into EINFRA AAI .

For a demo OIDC RP running on localhost see the repo https://github.com/CESNET/demo-oidc-rp-localhost

SAML

SAML metadata endpoint: https://login.e-infra.cz/proxy/saml2/idp/metadata.php
EINFRA AAI EntityID: https://login.e-infra.cz/idp/
Available Attributes and scopes

Recommended software:

Shibboleth SP (Apache web server plugin)
SimpleSAMLphp (php)
Spring Security SAML (Java)
Keycloak

On the wiki page of Czech academic identity federation eduID.cz are available guides on how to implement the service provider via protocol Shibboleth SP v3 and simpleSAMLphp. (Available only in the Czech language)