OpenConext Attribute Aggregation

• Java 11
• Maven 3
• MySQL 5.5
• npm
• node 7.10.0 (use for example nvm to manage it - latest version of node does not work)

If you have yarn installed, it will be used in the build by 3rd party libs. Ensure you are on version 1.1.0, otherwise the sass node will break.

Connect to your local mysql database: mysql -uroot

Execute the following:

CREATE DATABASE aaserver;
grant all on aaserver.* to 'root'@'localhost';

This project uses Spring Boot and Maven. To run locally, type:

cd aa-server

mvn spring-boot:run -Drun.jvmArguments="-Dspring.profiles.active=dev"

When developing, it's convenient to just execute the applications main-method, which is in Application. Don't forget to set the active profile to dev.

The client is build with react.js and to get initially started:

cd aa-gui

To run locally:

npm run local

Browse to the application homepage.

When new npm dependencies are added:

npm install

When manually testing the aggregations in the Playground you have to provide input attributes for retrieving values from the attribute authorities.

• The attribute urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified with the value urn:collab:person:example.com:admin returns groups / isMemberOfs from VOOT
• The attribute urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified with the value urn:collab:person:surfnet.nl:henny returns SAB roles
• The attribute urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified with value urn:collab:person:example.com:admin returns a valid ORCID.

To mimic the behaviour of attribute aggregation for an internal client - e.g. EngineBlock - we need to post form data:

curl -X POST -H "Content-Type: application/json" --data-binary @./aa-server/src/test/resources/json/eb/request.json -u eb:secret https://aa.test2.surfconext.nl/aa/api/internal/attribute/aggregation

if you want to test all of the above curl commands against your locally running AttributeAggregation application then replace https://aa.test2.surfconext.nl with http://localhost:8080.

There is also an API for trusted clients to obtain account information based on the urn of the person:

curl -u eb:secret https://aa.test2.surfconext.nl/aa/api/internal/accounts/urn:collab:person:example.com:admin

And the API offers a end-point to delete accounts:

curl -u eb:secret -X "DELETE" "https://aa.test2.surfconext.nl/aa/api/internal/disconnect/${account_id}"

Which will return Json {"status": "OK"} on success.

You can locally test the account linking with ORCID. You will need a valid orcid client id and secret. Copy & paste the application.yml to application.local.yml and fill in the properties orcid.client_id and orcid.secret. Then use this condiguration to start the server application:

mvn spring-boot:run -Drun.jvmArguments="-Dspring.profiles.active=dev" -Dspring.config.name=application.dev

If you go to the connected page you can link the dummy institutional user provided by the MockShibbolethFilter with an ORCID account.

If you don't specify a redirectUrl, then you will be redirected to the information page.

New Attribute Authorities first must be added and configured in attributeAuthoritiesProductionTemplate.yml. Then add the new authority implementation to AttributeAggregatorConfiguration#attributeAggregatorById.

To actually use the new authority in the test/acc/prod environment it also needs to be configured in OpenConext-deploy attributeAuthorities.yml.j2.

On its classpath, the application has an application.yml file that contains configuration defaults that are convenient when developing.

When the application actually gets deployed to a meaningful platform, it is pre-provisioned with ansible and the application.yml depends on environment specific properties in the group_vars. See the project OpenConext-deploy and the role aa for more information.

For details, see the Spring Boot manual.

When you want to run Attribute-Aggregator in a non-OpenConext environment you can use the aa script to stop / restart and start the application.

There is a LifeCycle API to deprovision users. The preview endpoint:

curl -u life:secret http://localhost:8080/aa/api/deprovision/saml2_user.com | jq

And the actual Deprovisioning of the user:

curl -X DELETE -u life:secret http://localhost:8080/deprovision/aa/api/saml2_user.com | jq