Participants

Proposers

Name	Organisation
Niels van Dijk	SURF
Dedra Chamberlin	Cirrus Identity
Miroslav Milinovic	SRCE

GN4-3 project team

Name	Organisation	Role
Sergio	UCO	Core team member
Patrick	Cirrus Identity	External Developer
Marko Ivancic	SRCE	External Developer

Stakeholders

Name	Organisation	Role
Miroslav Milinovic	SRCE	Stakeholder
Deadre Chamberlin	Cirrus Identity	Stakeholder
Stefan Winter	KIT	Stakeholder

Activity overview

Description

This activity attempts to extend the IdP/SP software SimpleSAMLphp with the still missing OpenID Connect Provider interface.

Activity goals

The aim of this activity is to create a functional OIDC OpenID Provider module for SimpleSAMLphp and provide it upstream.

Activity Details

Technical details

SimpleSAMLphp (SSP) is a commonly used software product for both SP and IdP deployments in Research and Education. In addition it may also be deployed as a proxy. Next to SAML, various other authentication protocols are supported.While SSP already supports the OpenID Connect (OIDC) Relaying Party (RP) interface, an OIDC OpenID Provider (OP) implementation is missing.

Adding an OIDC OP would add the ability to run a SSP based identity provider in 'dual stack' providing both SAML and OIDC based authentication using the same authoritative database. In addition it would improve SSPs proxy capability by allow it to proxy from SAML based IdPs (itself acting as an SP) to OIDC based RPs (itself acting as an OP).

This activity seeks to implement an OIDC OP in accordance with the OIDC specification into SSP.

There is an existing module available at Github. It needs to be investigated whether this is suitable for this activity.

Business case

SSP is one of the most widely used IdP/SP software in the GÉANT community. Furthermore, the adoption of OIDC is growing steadily, especially third-parties use it commonly. The OP module offers NRENs and institutions an easy way to provide an OIDC IdP.

Risks

Parallel implementation of different solutions
Failure to provide the module upstream

Data protection & Privacy

The activity itself does not handle any sensitive data
The created module will be integrated into an IdP and therefore handle authentication related user information

Definition of Done (DoD)

An SSP OIDC OP architecture is created and documented
A working SSP module is created and tested
A security review is performed to ensure the module does not affect SSP security or privacy
The SSP module is published publicly and picked up by a maintainer

Sustainability

The source code and interface documentation will be published publicly on GitHub
The module will be provided to the SSP developers or a related project for maintenance

Activity Results

Results

Passing OIDF Basic and Implicit Conformance Tests
Project handed over to https://github.com/simplesamlphp/simplesamlphp-module-oidc
F-TICKS support added
Docker image for testing
Sprint Recording and OIDC Demo: SSP-OIDC_demo.mp4

Meetings

Date	Activity	Owner
01.06.21	Public demo	Niels van Dijk
21.09.21	Final demo	Niels van Dijk

Documents

File Modified

No files shared here yet.

Page tree

Add OIDC OP support to SimpleSAMLphp