8.6.5. Federation Handler Module¶
The federation event handler can be used to configure relations between several eduMFA instances. Requests can be forwarded to child eduMFA instances.
Note
The federation event handler can modify the original response.
If the response was modified a new field origin
will be added to the
detail
section in the response. The origin will contain the URL of
the eduMFA server that finally handled the request.
8.6.5.1. Possible Actions¶
8.6.5.1.1. forward¶
A request (usually an authentication request validate_check) can be forwarded to another eduMFA instance. The administrator can define eduMFA instances centrally at config -> eduMFA servers.
In addition to the eduMFA instance the action forward
takes the
following parameters:
client_ip The original client IP will be passed to the child eduMFA server. Otherwise the child eduMFA server will use the parent eduMFA server as client.
Note
You need to configure the allow override client in the child eduMFA server.
- realm The forwarding request will change the realm to the specified realm.
This might be necessary since the child eduMFA server could have different realms than the parent eduMFA server.
- resolver The forwarding request will change the resolver to the specified
resolver. This might be necessary since the child eduMFA server could have different resolvers than the parent eduMFA server.
One simple possibility would be, that a user has a token in the parent
eduMFA server and in the child eduMFA server. Configuring a forward
event handler on the parent with the condition result_value = False
would
have the effect, that the user can either authenticate with the parent’s
token or with the child’s token on the parent eduMFA server.
Federation can be used, if eduMFA was introduced in a subdivision of a larger company. When eduMFA should be enrolled to the complete company you can use federation. Instead of dropping the eduMFA instance in the subdivision and installing on single central eduMFA, the subdivision can still go on using the original eduMFA system (child) and the company will install a new top level eduMFA system (parent).
Using the federation handler you can setup many other, different scenarios we can not think of, yet.
8.6.5.2. Code¶
This is the event handler module for eduMFA federations. Requests can be forwarded to other eduMFA servers.
- class edumfa.lib.eventhandler.federationhandler.ACTION_TYPE[source]¶
Allowed actions
- FORWARD = 'forward'¶
- class edumfa.lib.eventhandler.federationhandler.FederationEventHandler[source]¶
An Eventhandler needs to return a list of actions, which it can handle.
It also returns a list of allowed action and conditions
It returns an identifier, which can be used in the eventhandling definitions
- property actions¶
This method returns a dictionary of allowed actions and possible options in this handler module.
- Returns:
dict with actions
- description = 'This event handler can forward the request to other eduMFA servers'¶
- do(action, options=None)[source]¶
This method executes the defined action in the given event.
- Parameters:
action
options (dict) – Contains the flask parameters g, request, response and the handler_def configuration
- Returns:
- identifier = 'Federation'¶