Overview
didmos2 Authenticator is the central authentication component in the didmos2 software suite. It is based on the SATOSA proxy and supports the SAML and OpenID Connect protocols.
SATOSA is composed of different modules. Backend modules represent authentication methods and connect to different authentication sources. The result of a backend module consists of an user identifier and possibly additional user attributes from the authentication source. Conversely, frontend modules are used to connect to various services. They convey the information (which is based on whatever the backend module produced and potential modifications in micro services) back to the relying parties. Finally, micro services perform all kinds of tasks (like routing or attribute modifications) between frontend and backend modules. They can be further divided into request micro services (these run when routing from the frontend to the backend takes place, before any response from the backend is produced) and response micro services (these run on the way back from the backend to the frontend, after the backend has produced its result).
The following SATOSA modules are currently used in didmos2 Authenticator:
| Backend Modules | LDAP |
| Github | |
| SAML2 | |
| UCS | |
| Response Micro Services | LDAP Attribute Store |
| PrivacyIdea MFA | |
| Account Registration | |
| Request Micro Services | Discovery Router |
| Frontend Modules | OIDC |
| SAML2 (planned) |
Deployment
The following environment variables must be set, in order to start the didmos2 Authenticator service as part of the didmos2 software suite with default configuration:
SATOSA_MONGODB_PASSWORD: <password as used for the satosa account in didmos2-mongodb>
SATOSA_SSO_ENCRYPTION_KEY: <random value>
SATOSA_STATE_ENCRYPTION_KEY: <random value>
SATOSA_BASE_HOST: <external hostname for the didmos2 Authenticator deployment, e.g. auth.didmos2.de>
SATOSA_REGISTRATION_URL: <location for didmos2 frontend registration, e.g. https://didmos2.de/selfreg>
All other settings are initialized with default values and can be adjusted as described below.
Configuration
UCS Mode
A mode to run didmos2 Authenticator in UCS is available. This mode can be used to activate the Saml2_UCS backend and connect to the UCS SAML IDP:
SATOSA_UCS_ACTIVE: "Yes"
Note that this setting should be combined with deactivating all other login methods and especially the internal LDAP login:
SATOSA_LDAP_ACTIVE: "No"
To complete setup, the following volumes must be added to the satosa service in docker-compose.yml:
volumes: - $PWD/satosa-credentials:/etc/satosa/credentials - $PWD/ucs-metadata.xml:/etc/satosa/ucs-metadata.xml
In satosa-credentials/ the files saml2_ucs_backend.crt and saml2_ucs_backend.key must be present.
The metadata of the SAML IDP in UCS must be present as ucs-metadata.xml.
Full environment variable reference
| Base configuration | Default | Description | Required in docker-compose.yml |
|---|---|---|---|
| SATOSA_BASE_HOST | e.g. auth.didmos2.de | * | |
| SATOSA_STATE_ENCRYPTION_KEY | Random value used for enc of state cookie | * | |
| SATOSA_SSO_ENCRYPTION_KEY | Random value used for enc of sso cookies | * | |
| Internal LDAP authentication | Default | ||
| SATOSA_LDAP_ACTIVE | Yes | Activate local didmos2 login | |
| SATOSA_REGISTRATION_URL | e.g. https://didmos2.de/selfreg | * | |
| MongoDB connection | |||
| SATOSA_MONGODB_USERNAME | satosa | Username for mongodb service | |
| SATOSA_MONGODB_HOST | mongo | Host for mongodb service | |
| SATOSA_MONGODB_PORT | 27017 | Port for mongodb service | |
| SATOSA_MONGODB_DATABASE | satosa | Database name | |
| SATOSA_MONGODB_PASSWORD | Password for mongodb service | * | |
| OIDC Frontend | |||
| SATOSA_OIDC_DYNAMIC_REGISTRATION | No | Allow dynamic registration of oidc clients | |
| Internal LDAP Credentials | |||
| SATOSA_INTERNALLDAP_URL | ldap://ldap:389 | Internal LDAP Host | |
| SATOSA_INTERNALLDAP_BIND_DN | uid=satosa,ou=accounts,ou=DSA,dc=didmos,dc=de | Bind DN for internal LDAP | |
| SATOSA_INTERNALLDAP_BIND_PASSWORD | PdefaultWsatosaD | Bind Credential for internal LDAP | |
| SATOSA_INTERNALLDAP_SEARCH_BASE | ou=data,ou=default-tenant,dc=didmos,dc=de | Search base for users in internal LDAP | |
| SATOSA_INTERNALLDAP_CREATE_BASE | ou=social-people,ou=data,ou=default-tenant,dc=didmos,dc=de | Base DN for creation of shadow accounts | |
| PrivacyIdea MFA | |||
| SATOSA_MFA_PRIVACYIDEA_ACTIVE | No | Activate privacyIdea MFA for local accounts | |
| SATOSA_MFA_PI_URL | privacyIdea URL | ||
| SATOSA_MFA_PI_USERNAME | privacyIdea admin user | ||
| SATOSA_MFA_PI_PASSWORD | privacyIdea admin password | ||
| SATOSA_MFA_PI_CHALLENGE_TOKENTYPES | Tokentypes, which require challenge & response, e.g. "email, sms" | ||
| Facebook Social Login | |||
| SATOSA_FACEBOOK_ACTIVE | No | Activate Facebook login | |
| SATOSA_FACEBOOK_CLIENT_ID | |||
| SATOSA_FACEBOOK_CLIENT_SECRET | |||
| Google Social Login | |||
| SATOSA_GOOGLE_ACTIVE | No | Activate Google login | |
| SATOSA_GOOGLE_CLIENT_ID | |||
| SATOSA_GOOGLE_CLIENT_SECRET | |||
| LinkedIn Social Login | |||
| SATOSA_LINKEDIN_ACTIVE | No | Activate Linkedin login | |
| SATOSA_LINKEDIN_CLIENT_ID | |||
| SATOSA_LINKEDIN_CLIENT_SECRET | |||
| Github Social Login | |||
| SATOSA_GITHUB_ACTIVE | No | Activate Github login | |
| SATOSA_GITHUB_CLIENT_ID | |||
| SATOSA_GITHUB_CLIENT_SECRET | |||
| SAML2 Login | |||
| SATOSA_SAML2_ACTIVE | No | Activate Saml2 login | |
| SATOSA_SAML2_METADATA | URL to Saml2 metadata | ||
| SATOSA_SAML2_WAYF_ACTIVE | Use WAYF yes/no | ||
| SATOSA_SAML2_WAYF_URL | URL to WAYF | ||
| SATOSA_SAML2_METADATA_SIGNED | Set to "No" | ||
| Externalldap Login | |||
| SATOSA_EXTERNALLDAP_ACTIVE | No | ||
| SATOSA_EXTERNALLDAP_LDAPURL | |||
| SATOSA_EXTERNALLDAP_BINDDN | |||
| SATOSA_EXTERNALLDAP_BINDPWD | |||
| SATOSA_EXTERNALLDAP_SEARCHBASE | |||
| SATOSA_EXTERNALLDAP_SEARCHATTRIBUTE | |||
| SATOSA_EXTERNALLDAP_IDATTRIBUTE | |||
| UCS Login | |||
| SATOSA_UCS_ACTIVE | No |