Proposal is to use SimpleSAMLphp as a SP for the proxy w/ some additional capabiliteis to collect data from logs of proxy.

Profile page has 3 main features:

  • All my data: Show all data the Proxy has about the iser (in the context of a given VO, or just everything)
  • Connected Services: a list of al the SP and RP services connected to the proxy which have been used by the user
  • Transactions: the personal data which was transported to a given SP or RP over time (typically with a rentention time og e.g. 1 month or 3 months)

Proposed implementation:

  • proxy = IdP, profile page is 'trusted' SP → "all my data" is just print($attributes) of all attributes released by the Proxy to the SP. As this SP is trusted, there is no data minimization (although the Proxy may still decide not to release specific data if it wants)
  • Connected services needs SAML metadtaa and OIDC data to know about connected services. entityID and client_id are used as keys
  • syslog server as the standard interface for pushing transaction data from proxy, cron job on SSP side to process towards SSP profile page DB.
    → Cron job and syslog server do not even have to be run on the actual SSP SP (so could also be e.g. a python script), as long as the end result 'fits' in the profile page DB tables.
    → Cron job may also contain required "business logic" as not all attributes shown to the user on "all my data page" will make sense. Some might e.g. be targetted towards specific SPs behind the proxy and hence the value shown in all my data is not correct, or relevenat.
    The transactions page will be able to schow the real value however, so just use coments and other information on the "all my data" page to explain this to the user.
  • Also support OIDC
  • Revocation:
    • OIDC Access token revocation wanted, may be direct into e.g. SaToSa mongo DB, perhaps abstration layer is needed (API or the likes)
    • SAML consent revocation may work in te same way, by directly interacting with the consent module DB
    • Probaly have the implementation such that these classes can be extended
  • No labels