{"id":23859209,"url":"https://github.com/openconext/openconext-sso-notification","last_synced_at":"2026-01-29T18:03:14.351Z","repository":{"id":42524669,"uuid":"379301718","full_name":"OpenConext/OpenConext-SSO-Notification","owner":"OpenConext","description":null,"archived":false,"fork":false,"pushed_at":"2025-08-05T13:30:48.000Z","size":191,"stargazers_count":3,"open_issues_count":0,"forks_count":3,"subscribers_count":7,"default_branch":"develop","last_synced_at":"2025-08-05T15:09:22.600Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OpenConext.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-06-22T14:38:26.000Z","updated_at":"2025-08-05T13:30:52.000Z","dependencies_parsed_at":"2023-02-17T04:00:39.330Z","dependency_job_id":"527d17b4-b033-4af9-b31d-52ea8f0f1082","html_url":"https://github.com/OpenConext/OpenConext-SSO-Notification","commit_stats":null,"previous_names":[],"tags_count":17,"template":false,"template_full_name":null,"purl":"pkg:github/OpenConext/OpenConext-SSO-Notification","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenConext%2FOpenConext-SSO-Notification","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenConext%2FOpenConext-SSO-Notification/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenConext%2FOpenConext-SSO-Notification/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenConext%2FOpenConext-SSO-Notification/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OpenConext","download_url":"https://codeload.github.com/OpenConext/OpenConext-SSO-Notification/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenConext%2FOpenConext-SSO-Notification/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274152117,"owners_count":25231285,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-08T02:00:09.813Z","response_time":121,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-01-03T03:32:50.815Z","updated_at":"2026-01-29T18:03:14.345Z","avatar_url":"https://github.com/OpenConext.png","language":"Java","readme":"# OC SSO Notification\n\nThis Spring Boot Application is created to implement a SSO Notification service for OpenConext.\nWith a SSO Notification an Identity Provider can be defined which informs Engineblock at which Identity Provider a user \nshould log in. This is accomplished by setting a cookie with the entity ID of the Identity Provider. The Engineblock\napplication retrieves the cookie and initiates an authentication with the set entity ID.\n\nFor a more in depth functional description, please refer to the [functional description](release/src/site/markdown/docs/functional-description.md).\n\nThe following urls are exposed with this service:\n\n- / - The SSO Notification service\n- /actuator/health\n- /actuator/info\n\n## Getting started\n\nThe OC SSO Notification Service utilises:\n\n- Java 21\n- Maven 3+\n\n## Installation\n\nFor development you can start the Spring Boot application with embedded Tomcat from the root of the project using:\n\n    mvn clean install \u0026\u0026 java -jar oc-sso-notificatie/target/oc-sso-notificatie-*.jar --spring.config.location=release/src/main/resources/sample/config/\n\n## Security checks\n\nRun OWASP security checks by running\n\n    mvn clean install -P security-updates -DskipTests=true -B\n\n## Configuration of SSO Notification service\n\nThe application uses key value pairs set in the [application.properties](release/src/main/resources/sample/config/application.properties) \nfile.\n\nSettings for exposing inner workings of the application can be configured with the parameters below. Note that for \nProduction use, either access to /actuator should be restricted or this configuration should be altered:\n\n    # The admin user who can access the management information.\n    spring.security.user.name=admin\n    spring.security.user.password=secret\n    spring.security.user.roles=ACTUATOR\n     \n    # Actuator expose settings\n    management.security.roles=ACTUATOR\n    management.endpoints.web.exposure.include=health,info\n    management.endpoints.health.roles=ACTUATOR\n    management.endpoints.info.roles=ACTUATOR\n\nWith the default configuration, the /actuator/info endpoint can be requested with the following command:\n\n    curl -X GET http://localhost:8083/actuator/info -H 'Authorization: Basic YWRtaW46c2VjcmV0'\n\nNote that the key \"YWRtaW46c2VjcmV0\" is a Base64 encoded String with format \"[username]:[password]\", in this case: \n\"admin:secret\". This value can be generated using https://www.base64encode.org of the Linux command line \n(\"echo -n 'admin:secret' | base64\").\n\nIf \"management.security.roles\" is not set, the actuator endpoint will not be secured.\n\nSettings for the SSO Notification cookie can be configured with the following parameters.\n\n    # The domain to set for the notification cookie\n    notification.cookie.domain=vm.openconext.org\n    # The path to set for the notification cookie\n    notification.cookie.path=/\n    # The secure flag to set for the notification cookie\n    notification.cookie.secured=true\n\nSettings for the encryption can be configured with the following parameters.\n\n    # The encryption method used\n    crypto.encrypt.algorithm=AES/CBC/PKCS5Padding\n    # The secure password used to generate the encryption key - used for generating notification cookie value    \n    crypto.secure.key=\u003cxxx\u003e\n    crypto.secure.key.type=PBKDF2WithHmacSHA256\n    crypto.secure.key.algorithm=AES\n    # The salt value used to generate the encryption key\n    crypto.secure.salt=\u003cxxx\u003e\n\nSince AES-256 is used as the default encryption method, note to set a value of 32 characters for `crypto.secure.key` \nand a value of 16 characters for `crypto.secure.salt`. These settings should also be used in the configuration of \nEngineblock for the decryption process. Please see section below for more details.\n\nFor retrieving SSO Notifications there is the option of requesting data from an external REST API which is configured\nwith:\n\n    # Url of the API which returns the SSO notification information by id.\n    api.endpoint.url=\n    # The name of the API key header\n    api.key.header.key=\n    # The api-key header value - used in security purposes, is added to idp rest request\n    api.key.header.value=\n    # The URL-suffix to fetch all SSO Notification data from the Data Service endpoint\n    api.endpoint.url.all-suffix=\n    # The amount of seconds before a timeout\n    connection.timeout.seconds=5\n\nAlternatively, a data file in JSON format (example found [here](release/src/main/resources/sample/config/idp.data.json)) \ncan be configured with:\n\n    data.location=file:release/src/main/resources/sample/config/idp.data.json\n\nIf this configuration is present, the API will be used to fetch the data. The static file will be used as a fallback\nif the API configuration is not present. In the case the API is not working (either due to wrong configuration or\noutage), the static file will NOT be used as a fallback.\n\nFor a full example of the configurations, please refer to [Installation Manual](release/src/site/markdown/docs/installation-manual.md).\n\nIt is possible to configure SSO-Notification such that it runs more in sync with the data-source. If this is done, \nSSO-Notification periodically polls a check-sum endpoint exposed on the original data-source. The cache is then evicted\nif the check-sum has changed since the last time. To do this, the following configurations must be configured:\n\n      api.endpoint.url.cacheHash=\n      dataservices.fetchCacheHash.cronSchedule=-\n\nWhere `api.endpoint.url.cacheHash` is the url (including endpoint) where the check-sum is exposed, and \n`dataservices.fetchCacheHash.cronSchedule` is the cron-schedule at which the above endpoint will be polled. This schedule \nis set to `-` by default, which disables this polling feature.\n\n## Configuration of Engineblock\n\nReading and processing SSO Notification cookies should be enabled in Engineblock. Furthermore, the encryption key\nand salt configured for the SSO Notification service should be configured for Engineblock as well for the decryption\nprocess. Below are the configurations needed in Engineblock.\n\n    feature_enable_sso_notification: true\n    sso_notification_encryption_algorithm: AES-256-CBC\n    sso_notification_encryption_key: \u003cxxx\u003e\n    sso_notification_encryption_key_salt: \u003cxxx\u003e\n\n## Other features\n\n### Realm scoping\nIt is possible to enrich the SAML authentication scoping elements with realms. Realms\nprovide a unique identifier which can be used to scope further in the authentication process.\nFor the SSO Notification, a realm can be added to the cookie by adding an optional request \nparameter to the request to the SSO Notification service as follows:\n\n    ...\u0026realm=\u003crealm\u003e\n\nSee section Testing the service for a full example of a request. \n\n## Testing the service\n\nNote that you'll need to have a valid Referer HTTP header, so it is necessary to set up a web server running on the \nsame domain as the Engineblock application which points to this service. This is needed to be able to place the SSO \nNotification cookie. Also do note that cookies will be placed as secure. The Service therefor needs to be accessed \nthrough HTTPS.\n\nThen a request can be sent to the service, for example:\n\n    https://sso.vm.openconext.org?id=my-idp-entityid\u0026url=https://domain.com\u0026redirectUri=https://engine.vm.openconext.org\u0026realm=testRealm\n\nA description for a quick test with a simple HTML page can be found in [test.md](release/src/site/markdown/docs/test.md).\n\n## License\n\nOC SSO Notification - [Apache License, Version 2.0](LICENSE-2.0.txt)\n\n## Contact\nFor more information, contact [Stichting Kennisnet](mailto:implementaties@kennisnet.nl).\n\n**Copyright(c) 2023 [Stichting Kennisnet]**\n\n[//]: # (These are reference links used in the body of this note)\n   [Stichting Kennisnet]: \u003chttp://www.kennisnet.nl\u003e\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenconext%2Fopenconext-sso-notification","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenconext%2Fopenconext-sso-notification","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenconext%2Fopenconext-sso-notification/lists"}