Skip to end of metadata
Go to start of metadata



  • COmanage:
    • Version 3.0
    • Basic enrollment flows: self-enrollment based on self-asserted attributes
    • Provisioning to standard SCZ targets: local LDAP and SAML attribute database
    • Generate service tokes
  • Satosa:
    • Log in via SURFconext
    • Log in via Google
    • SAML services can be connected manually
    • OIDC services can be connected manually
    • CO-membership and group memberships are relayed to 
    • CO-based authorization for SAML services
    • SAML and OIDC services are added manually
  • LDAP-provisioning:
    • COs are provisioned to separate o-trees
    • people and groups are provisioned
    • people get eduPerson, eduMember and posixAccount attributes with fixed (within a CO) ranges for uid and gid
    • access control to ldap database is manual


  • Working installation to local VMs (libvirt/qemu and virtualbox backends)


  • Test environment deployed (internal SURF)
  • Pilot environment deployed (public)
  • Direct connection to SURFconext (nowfap deprecated)

Known issues:

  • When logging in to a SAML SP that is connected to a CO, the CO information is not relayed properly.  For example, the eduPersonScopedAffiliation will be (literally) instead of properly identifying the CO.
  • When logging in to a SAML SP, the SP will receive IdP-attributes instead of only CO-owned attributes
  • The consent screen does not remember the given consent (it promised to not ask the question again for 3 or 6 months).  This is on purpose, to facilitate testing.
  • Loading the discovery screen takes a long time (40-60 seconds), and during this loading time, not all IdPs can be selected, and your browser might ask for certificated to access a number of IdP logos.
  • Access control for SPs is not enabled, so anyone with access to the platform (i.e., with a connected IdP) will be able to access all backend services.  Users who are not a member of the CO that owns the service will not get CO-specific attributes though.
  • Multivalued attributes are not relayed to OIDC clients.
  • Only self-signup enrollment flows are supported.
  • COmanage enrollment flows are fragile: missing a single setting in the enrollment config will mess everything up.  


Component versions (see Software versions and pull requests for a more detailedoverview):

  • COmanage: version 3.0 + upstream/hotfix-3.0.x plus fixes:
    • fix-servicetoken-submenu
    • feature-add-qrcode-token
    • fix-petition-notification
    • fix-session-state
  • SATOSA: version master-20180221 (f42cff6) plus fixes:
    • fixes for OIDC
    • add transparent (Dutch proxying) SAML endpoints for SPs
    • microservice updates 
  • Pyff: version 0.10.0 + fixes:
    • fix base64 padding in urls
  • CMservice: version 2.0.2 plus fixes:
    • fix upper/lower case issues for attribute names
    • fix templating error
  • No labels