Code development platform for open source projects from the European Union institutions 🔵 EU Login authentication by SMS has been phased out. To see alternatives please check here

Skip to content

SAML Configuration Refactoring

From documentation found https://github.com/nginxinc/nginx-saml, we can update our implementation of nginx configuration with configuration directive described below

Nginx http context:

Variables:

  • $saml_sp_entity_id: (required) Unique identifier that identifies the SP to the IdP. Must be URL or URN. (eg: https://netbox.saml.test.tech.ec.europa.eu)
  • $saml_sp_acs_url: (required) The ACS URL, an endpoint on the SP where the IdP will redirect to with its authentication response. Must match the ACS location defined in the server context.
  • $saml_sp_request_binding: (required) Refers to the method by which an authentication request is sent from the SP to an IdP during the Single Sign-On (SSO) process. Only "HTTP-POST" or "HTTP-Redirect" methods are allowed. (default "HTTP-POST")
  • $saml_sp_sign_authn: (required) Whether the SP should sign the AuthnRequest sent to the IdP. Can be "true" or "false" (default "false"). Acceptance Eulogin service accept "false" production should be "true".
  • $saml_sp_signing_key: (required) Specifies the private key that the SP uses to decrypt encrypted assertion or NameID from the IdP. Must be the path to the SP private key for signing usage. (default ""). Acceptance Eulogin service accept "" production should be set.
  • $saml_sp_force_authn: (required) Whether the SP should force re-authentication of the user by the IdP. Can be "true" or "false" (default "false"). Set to "true" if you want to bother your users.
  • saml_sp_nameid_format: (required) Indicates the desired format of the name identifier in the SAML assertion generated by the IdP. Check section 8.3 of the SAML 2.0 Core specification (http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) for the list of allowed NameID Formats. (Default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")
  • $saml_sp_relay_state: (required) Relative or absolute URL the SP should redirect to after successful sign on. If set to "" the value in the cookie auth_redir will be taken and if auth-redir cookie is not found the redirection will be done on "/" (default ""). Actual SAML implementation of nginx-saml can put /favicon.ico in the cookie auth-redir that is not a default behavior we want.
  • $saml_sp_want_signed_response: (required) Whether the SP wants the SAML Response from the IdP to be digitally signed. (default "false"). Acceptance Eulogin service accept "false" production should be "true".
  • $saml_sp_want_signed_assertion: (required) Whether the SP wants the SAML Assertion from the IdP to be digitally signed. (default "false"). Acceptance Eulogin service accept "false" production should be "true". (default "false"). Acceptance Eulogin service accept "false" production should be "true".
  • $saml_sp_want_encrypted_assertion: (required) Whether the SP wants the SAML Assertion from the IdP to be encrypted.
  • $saml_idp_entity_id: (required) Unique identifier that identifies the IdP to the SP. Must be URL or URN. Cannot be "". (Setting for Acceptance EULogin is "urn:ec.europa.eu:eulogin:acceptance:saml")
  • $saml_idp_sso_url: (required) IdP endpoint URL that the SP will send the SAML AuthnRequest to initiate an authentication process. Cannot be "". (Setting for Acceptance EULogin is "https://ecas.acceptance.ec.europa.eu/cas/")
  • $saml_idp_verification_certificate: (required) Certificate file path that will be used to verify the digital signature on the SAML Response, LogoutRequest or LogoutResponse received from IdP Must be public key in PKCS#1 format. (default ""). Acceptance Eulogin service accept "" production should be set.
  • $saml_sp_slo_url: (required) SP endpoint URL that the IdP will send the SAML LogoutRequest to initiate a logout process or LogoutResponse to confirm the logout. If you want logout (and you want) cannot be "". Must match the SLS (Sindle Logout Service???) location defined in the server context.
  • saml_sp_slo_binding: (required) Refers to the method by which a LogoutRequest or LogoutResponse is sent from the SP to an IdP during the Single Logout (SLO) process. Only "HTTP-POST" or "HTTP-Redirect" methods are allowed. (default "HTTP-POST").
  • $saml_sp_sign_slo: (required) Whether the SP must sign the LogoutRequest or LogoutResponse sent to the IdP. (default "false"). Acceptance Eulogin service accept "false" production should be "true".
  • $saml_idp_slo_url: (required) IdP endpoint URL that the SP will send the LogoutRequest to initiate a logout process or LogoutResponse to confirm the logout. If not set (value ""), the SAML Single Logout (SLO) feature is DISABLED and requests to the 'logout' location will result in the termination of the user session and a redirect to the logout landing page.
  • $saml_sp_want_signed_slo: (required) Whether the SP wants the SAML LogoutRequest or LogoutResponse from the IdP to be digitally signed. (default "false"). Acceptance Eulogin service accept "false" production should be "true".
  • $saml_logout_landing_page: (required) Where to redirect user after requesting /logout location. This can be replaced with a custom logout page, or complete URL. (default "/_logout").
  • $saml_cookie_flags: (reqired) Depending of protocol (HTTP or HTTPS). see (https://github.com/nginxinc/nginx-saml/blob/main/saml_sp_configuration.conf#L142)
  • $redirect_base: (required) see https://github.com/nginxinc/nginx-saml/blob/main/saml_sp_configuration.conf#L147
  • $proto: (required) https://github.com/nginxinc/nginx-saml/blob/main/saml_sp_configuration.conf#L147

Keyval storage configuration

See https://github.com/nginxinc/nginx-saml/blob/main/saml_sp_configuration.conf#L160

keval_zone and keval configuration directives (see https://nginx.org/en/docs/http/ngx_http_keyval_module.html) must be present in http context.

Import JS file

Import the javascript functions that handle SAML webprofile protocol.

js_import samlsp from conf.d/saml_sp.js;

The saml_sp.js file must be present on the file system.

Nginx server context:

There is an initialization section to report on the server side (see https://github.com/nginxinc/nginx-saml/blob/main/saml_sp.server_conf#L1-L23) can be set with an include (see https://code.europa.eu/digit-c4/rps/proxy/-/blob/saml_from_scratch/docker/files/nginx/conf.d/default.conf?ref_type=heads#L164)

Special Locations

  • location = /saml/acs: SAML Assertion Consumer Service (or ACS) location. Receiving and processing SAML <samlp:Response> messages from IdP. MUST reflect the configuration from $saml_sp_acs_url.
  • location = /saml/sls: SAML Single Logout Service (or SLS) location. Receiving and processing SAML <samlp:LogoutResponse> or <samlp:LogoutRequest> messages from IdP. MUST reflect the configuration from $saml_sp_slo_url.
  • location @do_samlsp_flow: Named location that initiates SAML Authentication by sending SAML <samlp:AuthnRequest> to the IdP if the user session is not found. See https://github.com/nginxinc/nginx-saml/blob/main/saml_sp.server_conf#L42
  • location = /logout: Requests to this location initiate the logout process by sending SAML <samlp:LogoutRequest> to the IdP. Can be deferent to $saml_sp_slo_url.
  • location = /_logout: This location is the default value of $saml_logout_landing_page.
  • location @saml_error: This location is called when any SAML SSO error occurs. See https://github.com/nginxinc/nginx-saml/blob/main/saml_sp.server_conf#L63

Nginx location context:

Add to the location in the server context this section

https://code.europa.eu/digit-c4/rps/proxy/-/blob/saml_from_scratch/docker/files/nginx/conf.d/default.conf?ref_type=heads#L176-186

Edited by Vincent SIMONIN
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

For further information about the platform and support, please see https://code.europa.eu/info/about