{"id":51300758,"url":"https://github.com/solarssk/ssf-transmitter","last_synced_at":"2026-06-30T19:30:34.481Z","repository":{"id":360782759,"uuid":"1251664322","full_name":"solarssk/ssf-transmitter","owner":"solarssk","description":"Standalone OpenID Shared Signals Framework transmitter for self-hosted Authentik deployments.","archived":false,"fork":false,"pushed_at":"2026-06-20T09:46:16.000Z","size":536,"stargazers_count":0,"open_issues_count":3,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-20T11:23:59.958Z","etag":null,"topics":["authentik","caep","docker","fastapi","openid","risc","security-events","self-hosted","shared-signals-framework","ssf"],"latest_commit_sha":null,"homepage":"https://github.com/solarssk/ssf-transmitter","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/solarssk.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-27T19:55:42.000Z","updated_at":"2026-06-12T20:27:08.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/solarssk/ssf-transmitter","commit_stats":null,"previous_names":["solarssk/ssf-transmitter"],"tags_count":24,"template":false,"template_full_name":null,"purl":"pkg:github/solarssk/ssf-transmitter","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solarssk%2Fssf-transmitter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solarssk%2Fssf-transmitter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solarssk%2Fssf-transmitter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solarssk%2Fssf-transmitter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/solarssk","download_url":"https://codeload.github.com/solarssk/ssf-transmitter/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solarssk%2Fssf-transmitter/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34981389,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-30T02:00:05.919Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentik","caep","docker","fastapi","openid","risc","security-events","self-hosted","shared-signals-framework","ssf"],"created_at":"2026-06-30T19:30:33.696Z","updated_at":"2026-06-30T19:30:34.466Z","avatar_url":"https://github.com/solarssk.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SSF Transmitter\n\n[![CI](https://github.com/solarssk/ssf-transmitter/actions/workflows/ci.yml/badge.svg)](https://github.com/solarssk/ssf-transmitter/actions/workflows/ci.yml)\n\nStandalone service that sits next to Authentik and forwards user security events (logout, password change) to receivers implementing the [OpenID Shared Signals Framework](https://openid.net/specs/openid-sharedsignals-framework-1_0.html). One container supports one active SSF stream — registering a new stream replaces the existing one. Multi-stream support (fan-out to multiple receivers) is planned for v1.1. Primary receiver: Apple Business Manager CAEP.\n\nEvents are signed as RS256 JWTs (Security Event Tokens) and pushed over HTTPS. No admin panel — all configuration is environment variables.\n\n**Current release:** [v0.5.10 — Stream recovery hardening](https://github.com/solarssk/ssf-transmitter/releases/tag/v0.5.10)\n\n## Features\n\n- SSF discovery and JWKS endpoints\n- Stream management API (create / read / update / delete)\n- Authentik webhook receiver with Bearer or HMAC-SHA256 authentication\n- CAEP event mapping for logout and password change\n- RS256-signed SET push delivery with SSRF and DNS rebinding protection\n- Receiver hostname allowlist, in-app rate limiting, HTTP security headers (v0.5.9+)\n- Fernet encryption for receiver tokens at rest (v0.5.9+)\n- PII masking in logs by default\n- Apple Business Manager SCIM user sync (optional)\n- Startup preflight checks with ✅/⚠️/❌ output per item\n- Multi-architecture Docker image (`linux/amd64`, `linux/arm64`)\n\n## Quick start\n\n1. Copy [`.env.example`](.env.example) to `stack.env` and set:\n   - `SSF_ISSUER`, `SSF_BASE_URL` (`SSF_ISSUER` should normally be the same URL as `SSF_BASE_URL`)\n   - `SSF_MANAGEMENT_TOKEN`, `SSF_WEBHOOK_TOKEN`\n   - `SSF_FORWARDED_ALLOW_IPS` (your reverse proxy subnet if behind NPM/Caddy)\n2. Add the service to Docker Compose — see [docs/Deployment.md](docs/Deployment.md) or [Synology guide](docs/synology-authentik-compose.md)\n3. Register the stream with your receiver using the SSF Config URL below\n\nA **stream** is the receiver configuration stored in SQLite: receiver URL, bearer token, requested events, and current status. If Apple Business Manager is already connected, you already have a stream.\n\n## Upgrading\n\n**Already running with Apple Business Manager?** See [docs/Upgrading.md](docs/Upgrading.md#v0510--stream-recovery-hardening-from-058-or-earlier):\n\n- Bump image to `0.5.10`\n- Set `SSF_FORWARDED_ALLOW_IPS` behind reverse proxy\n- Keep `SSF_WEBHOOK_AUTH_MODE=hmac` explicitly if your Authentik webhook still uses legacy HMAC\n- Do **not** add `SSF_TOKEN_ENCRYPTION_KEY` unless re-registering the stream\n\n## Public endpoints\n\n| Endpoint | URL |\n|---|---|\n| Service root | `https://idp.example.com/shared-signals/` |\n| SSF Config | `https://idp.example.com/shared-signals/.well-known/ssf-configuration` |\n| JWKS | `https://idp.example.com/shared-signals/jwks.json` |\n| Stream management | `https://idp.example.com/shared-signals/ssf/streams` |\n| Status | `https://idp.example.com/shared-signals/ssf/status` |\n\n`/docs` and `/openapi.json` are off by default — set `SSF_ENABLE_OPENAPI=true` only in dev or a trusted LAN.\n\nReplace `idp.example.com` with your IdP hostname and `/shared-signals` with your `SSF_ROOT_PATH`.\n\n## Documentation\n\n| Topic | Location |\n|---|---|\n| **Documentation index** | [docs/README.md](docs/README.md) |\n| Deployment | [docs/Deployment.md](docs/Deployment.md) |\n| Synology + Authentik | [docs/synology-authentik-compose.md](docs/synology-authentik-compose.md) |\n| Environment variables | [docs/Configuration.md](docs/Configuration.md) |\n| Upgrading (v0.5.9+) | [docs/Upgrading.md](docs/Upgrading.md) |\n| Event mapping | [docs/Event-Mapping.md](docs/Event-Mapping.md) |\n| Keys and rotation | [docs/Key-Management.md](docs/Key-Management.md) |\n| Apple SCIM sync | [docs/Apple-SCIM-Sync.md](docs/Apple-SCIM-Sync.md) |\n| Security checklist | [docs/Security-Notes.md](docs/Security-Notes.md) |\n| Troubleshooting | [docs/Troubleshooting.md](docs/Troubleshooting.md) |\n| API reference | [docs/API.md](docs/API.md) |\n| Threat model | [SECURITY.md](SECURITY.md) |\n| Changelog | [CHANGELOG.md](CHANGELOG.md) |\n\nWiki pages mirror `docs/` — sync from the repo when updating [GitHub Wiki](https://github.com/solarssk/ssf-transmitter/wiki).\n\n## Apple SCIM group filtering\n\nSet `APPLE_SCIM_GROUP_ID` to an Authentik group UUID to sync only members of a dedicated Apple group. See [docs/Apple-SCIM-Sync.md](docs/Apple-SCIM-Sync.md).\n\n## Development\n\nRequires **Python 3.14** (see `.python-version`; matches CI and the Docker image).\n\n```bash\npython3.14 -m venv .venv \u0026\u0026 . .venv/bin/activate\npip install -r requirements-dev.txt\nruff check .\npytest\n```\n\nGitHub Actions runs linting, tests, dependency checks, and a Docker image build on every push and pull request.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolarssk%2Fssf-transmitter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsolarssk%2Fssf-transmitter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolarssk%2Fssf-transmitter/lists"}