Architecture
XTB is a federation service providing these capabilities:
-
routing authentication requests between relying parties (in short RP, also known as service provider / SP) and claims providers (CP also known as identity provider / IDP) allowing a user to select the home realm or computationally doing home realm discovery (HRD) via scripting
-
mapping claims/attributes between CP and RP (like authentication context classes, SAML attributes and OIDC claims)
-
backing logins with a single-sign-on session store to prevent logins for participating RPs when Quality of Authentication (QoA) is sufficient provided by the same CP
-
auditing login events as a central party
-
supporting GitOps having a tracked, versioned and reviewable configuration repository
The supported protocols are:
-
SAML 2.0 on RP and CP side (SAML POST and redirect binding, artifact binding having higher integration effort and more complex operational impact can be used too)
-
OIDC 1.0 on RP side focussing on the best practice sub-set (authorization code flow with PKCE for frontend and with client authentication for backends)
Actors and components explained:
| Component | Purpose |
|---|---|
User-Agent |
The client is usually a browser in case of front-channel controlled authentication or otherwise a OIDC adapter running either in the browser using JavaScript or in a backend. |
Relying Party Service |
Handles the interaction with the application side based on |
Claims Provider Service |
Handles the interaction with the CPs based on |
Authentication Service |
Handles the federation between RP and CP service. |
OIDC Service |
Handles RP-initiated OIDC authorization code flow based on the Spring Authorization Server To separate SAML and OIDC implementation sub-systems, the OIDC service is federated via SAML. |
Authorization Code Flow Service |
Handles OIDC authorization code flow towards OIDC CPs. |
HRD Controller |
Handles the interaction with the user when selecting a CP form the HRD selection screen. |
Script Service |
Allows to hook groovy scripts to manipulate the federation data and flow. See processing model for supported hooks and the configuration section for a few examples. |
SSO Service |
Allows multiple RP’s to share a session on the XTB. The SSO mechanism is based on cookies and device tracking and can be overridden via SAML AuthnRequest (forceAuthn) and OIDC authorize request (prompt=login). Minimal LoA requirements should be applied using this service. |
Processing Model
The federation is executed as follows:
API and Protocols
XTB provides various endpoints for SAML and OIDC federation handling and has a small single page application for the parts that require user interaction.
These features are provided based on:
-
XTB SAML implementation using OpenSAML
-
XTB OIDC integration using a sub-set of the features of Spring Authorization Server
-
XTB application using angular to provide the user interaction UI
| Path | Protocol | Purpose |
|---|---|---|
|
SAML |
SAML metadata endpoint providing Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0 |
|
SAML |
SAML login/logout endpoint handling SP-Initiated SSO: Redirect/POST Bindings |
|
SAML |
SAML artifact binding resolution endpoint |
|
REST |
OIDC meta data endpoint for Obtaining OpenID provider configuration information |
|
OIDC |
JSON web token authorization code flow starting point defined by https://openid.net/specs/openid-connect-core-1_0 .html#AuthorizationEndpoint[OpenID Connect Authorization Endpoint] |
|
OIDC |
JSON web token retrieval endpoint defined by OpenID Connect Token endpoint. Used to retrieve tokens using authorization codes or refresh_token. |
|
OIDC |
JSON Web Key endpoint serving key sets (rotated weekly) required for token signature verification. See rfc7517 for details. |
|
OIDC |
Allows to to validate posted access token retrieving it’s data payload. See rfc7662 for details. |
|
OIDC |
Discard tokens from the XTB token cache. See rfc7009 for details. |
|
OIDC |
Provides insights into the HTTP bearer token posted in the HTTP Authorization header or the access_token POST body. See OpenID COnnect UserInfo Endpoint. |
|
OIDC |
Allows user-agents to do a OpenID Connect Front-Channel Logout. |
|
Web |
Single page applications for user interactions (home realm discovery and error handling mainly) |
|
Web |
SSO login status page for testing. Can be used to check and kill SSO own sessions. Limitations: OIDC session members are visible here too but only when SSO is used and terminating SSO session here does not invalidate OIDC tokens. |
Docker Installation
On a docker host XTB can be installed as a service mesh with docker-compose. Requirements:
-
Current distribution of a docker enabled Linux system
-
Docker version 24 or above
-
Alternatively: Podman version 4 or above (security restrictions apply)
-
Network access to download images from internet docker registries
The setup will provide these endpoints:
| Container | Endpoints | Remarks |
|---|---|---|
|
mysql --protocol=tcp --host=localhost --port=3306 --user=root --password=secret |
Investigate storage: show databases; use TBSS16; show tables; desc TB_AUTH_SESSION_CACHE; |
|
Endpoints of interest of the git repository server:
|
Documentation: https://docs.gitea.com/ |
|
Endpoints of interest of XTB:
|
Documentation: https://github.com/trustbroker-swiss |
|
RP entry points: http://localhost:7070 |
Mock service simulating RP and CP messages based on the |
TLS engineering:
-
Server: Please refer to https://docs.spring.io/spring-boot/docs/current/reference/html/application-properties.html#application-properties.server.server.ssl.enabled
-
Server: Staying on http within a secure infrastructure you can do TLS on load-balancers or ingress controllers.
-
Clients: You can in general map a JKS into the containers
/usr/lib/jvm/zulu17-ca/lib/security/cacerts -
SAM artifact resolution client: You can engineer
keystore/outgoing-tls-trust/truststore.p12, PKCS12 recommended.
When switching to server TLS you can discard the
You can find the scripts mentioned in this section in the trustbroker-install module on GitHub.
Install docker-compose (optional)
If you do not have a docker infrastructure that supports the 'docker compose' command you can install it as follows: Install docker-compose on your system:
In short:
sudo bash
curl -SL https://github.com/docker/compose/releases/download/v2.27.0/docker-compose-linux-x86_64 -o
/usr/local/bin/docker-compose
chmod 555 /usr/local/bin/docker-composeDefault Setup
The demo setup should run out of the box as follows:
-
Download docker-compose.yml
-
Download env-vault.conf
-
Download run.sh
Run the setup:
bash run.shAccess the setup via the mocked demo relying parties at http://localhost:7070. You can use the browser’s development tools and the SAML-tracer plugin to observe the traffic.
If the docker image pulling fails because of authorization issues, ask for access on the trustbroker.swiss discussion forum.
Customize Setup
You might want to tweak the development setup:
-
Switch to another image version or distribution points
-
Set new secrets for state cache and keystores (p12/pem files).
-
Generate new SSH keys to access GitOps repository.
-
Use other external ports.
-
Remove Gitea because you have a remote repository already or use gitea actually so you can play with the configuration.
Example vault (retained in CI or K8S vault for production setups) injected into docker-compose.yml via ENV:
# Variant 0: Run directly with the read-only public repository from GitHub
GIT_URL=https://github.com/trustbroker-swiss/xtb-gitops-demo.git
#GIT_TOKEN=not-required-on-public-repo
# Variant 1: Access token used to access GitOps repository using http bearer token (must be created on Git server)
# Gitea >> User Avater >> Settings >> Applications >> Manage Access Tokens >> Generate Token
# Pass by value or by reference ie.e $TRUSTBROKER_HOME/keys/git_token
#GIT_URL=http://git@gitea:3000/trustbroker-swiss/xtb-gitops-demo.git
#GIT_TOKEN=./keys/git_token
# Variant 2: SSH key used to access GitOps repository using ssh protocol (see setup-ssh.sh on how to get it)
# We instead mount the SSH key(s) into /etc/trustbroker/keys.
#GIT_URL=ssh://git@gitea:22/trustbroker-swiss/xtb-gitops-demo.git
#SSH_KEY=./keys/id_rsa
# data selection from git repo selecting trustbroker-inventories/DEMO
CONFIG_BRANCH=main
SPRING_PROFILES_ACTIVE=DEMO
# Passphrase to decrypt keystores stored in git (RSA private in openssl PEM or PKCS12 keystores)
PKI_PASSPHRASE=changeit
# Access to the mariadb session store. We use the same passphrase for DB owner 'root' and XTB user 'trustbroker'.
STATECACHE_PASS=secret
# Development environment population
export GIT_URL GIT_TOKEN SSH_KEY CONFIG_BRANCH TRUSTBROKER_HOME SPRING_PROFILES_ACTIVE
export PKI_PASSPHRASE STATECACHE_PASS
# Rootless docker-compose requires switching the run user of the container.
[ -z "$UID" ] && export UID=$(id -u)
[ -z "$GID" ] && export GID=$(id -g)
export UID GIDExample docker compose depending on the vault (see ${VAR} references) that you might want to tweak towards using external sessiondb and/or git repository server:
# vim: syntax=yaml textwidth=120 expandtab tabstop=2 softtabstop=2 shiftwidth=2 autoindent
# Docker compose setting up a standalone XTB service on a local docker host.configs:
# NOTE: Source the ENV defining the secret first or define them inline (SSH_KEY, PKI_PASSPHRASE, STATECACHE_PASS)
networks:
trustbroker-network:
external: false
services:
mariadb:
container_name: mariadb
restart: on-failure
image: docker.io/library/mariadb:10.7.6
volumes:
- ./mariadb:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro
ports:
- "3306:3306"
environment:
- MYSQL_DATABASE=TBSS16
- MYSQL_ROOT_PASSWORD=${STATECACHE_PASS}
- MYSQL_PASSWORD=${STATECACHE_PASS}
- MYSQL_USER=trustbroker
networks:
- trustbroker-network
gitea:
container_name: gitea
restart: on-failure
image: docker.io/gitea/gitea:1.21.5
environment:
- USER_UID=1000
- USER_GID=1000
volumes:
- ./gitea:/data
- /etc/localtime:/etc/localtime:ro
ports:
- "3000:3000"
- "222:22"
networks:
- trustbroker-network
ldap:
container_name: ldap
image: bitnami/openldap
ports:
- '1389:1389'
- '1636:1636'
environment:
#- BITNAMI_DEBUG=true
- LDAP_ROOT=dc=trustbroker,dc=swiss
- LDAP_ADMIN_USERNAME=admin
- LDAP_ADMIN_PASSWORD=secret
- LDAP_CUSTOM_SCHEMA_DIR=/schema_init
- LDAP_CUSTOM_LDIF_DIR=/ldif_init
volumes:
- ./ldap_init/schema:/schema_init:ro
- ./ldap_init/ldif:/ldif_init:ro
#- openldap_data:/bitnami/openldap
trustbroker:
container_name: trustbroker
image: ghcr.io/trustbroker-swiss/trustbroker-application:latest
user: "${UID}:${GID}"
depends_on:
- gitea
- mariadb
- ldap
volumes:
- ./ssh:/etc/trustbroker/keys:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "8090:8090"
- "8091:8091"
environment:
- GIT_URL=${GIT_URL}
- GIT_TOKEN=${GIT_TOKEN}
- SSH_KEY=${SSH_KEY}
- CONFIG_BRANCH=main
- SPRING_PROFILES_ACTIVE=DEMO
- PKI_PASSPHRASE=${PKI_PASSPHRASE}
- SPRING_FLYWAY_URL=jdbc:mariadb://mariadb:3306
- SPRING_FLYWAY_USER=root
- SPRING_FLYWAY_PASSWORD=${STATECACHE_PASS}
- SPRING_DATASOURCE_USERNAME=trustbroker
- SPRING_DATASOURCE_PASSWORD=${STATECACHE_PASS}
# Debug SSH startup in case of connectivity problem with external git repo
#- LOGGING_LEVEL_ROOT=DEBUG
# When running behind an enterprise proxy inject a HTTPS or SSH proxy (HTTP not supported)
#- HTTPS_PROXY=http://proxy.company.com:1234
#- SSH_PROXY_HOST=proxy.company.com
#- SSH_PROXY_PORT=1234
# When running on HTTP relax cookie polices
- TRUSTBROKER_CONFIG_SECUREBROWSERHEADERS=false
networks:
- trustbroker-network
samlmock:
container_name: samlmock
image: ghcr.io/trustbroker-swiss/trustbroker-samlmock:latest
depends_on:
- gitea
volumes:
- ./ssh:/etc/trustbroker/keys:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "7070:7070"
- "7071:7071"
environment:
- GIT_URL=${GIT_URL}
- GIT_TOKEN=${GIT_TOKEN}
- SSH_KEY=${SSH_KEY}
- CONFIG_BRANCH=main
- SPRING_PROFILES_ACTIVE=DEMO
- PKI_PASSPHRASE=${PKI_PASSPHRASE}
networks:
- trustbroker-networkRe-Generate GitOps SSH Key
To generate an own SSH setup, execute setup-ssh.sh:
#!/bin/bash
# Site config (you can also use shorter ecdsa keys, but git server need sto support it)
SSH_KEY_FILE=${SSH_KEY_FILE:-ssh/id_rsa}
SSH_KEY_OWNER=${SSH_KEY_OWNER:-xtb-owner@your.site}
SSH_CFG_FILE=${SSH_CFG_FILE:-ssh/config}
# SSH key is stored un-encrypted in vault (no apssword necessary)
SSH_KEY_PASS=
# Trusted server keys need to be engineered when StrictHostKeyChecking=yes is used
SSH_HST_FILE=${SSH_HST_FILE:-ssh/known_hosts}
# Generate client key
ssh-keygen -m pem -t rsa -b 4096 -P "$SSH_KEY_PASS" -f $SSH_KEY_FILE -C $SSH_KEY_OWNER
# Provide server trust: Done automatically when connecting to the Git server for the first time.
# To explicitly establish server trust setup keys/config and keys/known_hosts using OpenSSH conventions.
# The following default config allows bootstrapping any ssh server automatically, so take care what git url you are using.
touch $SSH_HST_FILE
cat >$SSH_CFG_FILE <<EOT
Host *
StrictHostKeyChecking no
EOT
# Optional: Inject private key via ENV for bootstrap (done instead via volume mount from docker-compose or K8S secret)
SSH_KEY=$(cat $SSH_KEY_FILE | base64 -w 0)
[ -f env-vault.conf ] && sed -i.old -e "s|SSH_KEY=.*|SSH_KEY=$SSH_KEY|" env-vault.conf
# Put public key into Git server user or repository settings
echo "##### Public SSH key to be added to Git server user/repository #####"
cat ${SSH_KEY_FILE}.pubSetup Gitea Server
For trials, you can use the Gitea server as shown in the docker-compose setup, you need to switch from the github to the gitea URL for the xtb-gitops-demo repository..
sudo docker-compose up giteaSetup manually:
-
Connect to http://localhost:3000/ and confirm the default server setup.
-
Register user
trustbroker-swissand login. -
Add content of
ssh/id_rsa.pub(and/or your own) to: User >> Settings >> SSH/PGP Keys >> Manage SSH Keys >> Add Key -
Create a repository
xtb-gitops-demo. -
Optional: For http access: User >> Settings >> Applications >> Manage Access Tokens >> Generate Token
The resulting access token can be set along the GIT_URL as GIT_TOKEN or mapped to /etc/trustbroker/keys/git_token.
Note that access token or SSH key are only required, if the git repository is private (gitea default). You can make it public in the repository settings, in which case you do not need access keys. You then can add/edit/delete files in the web UI and read the repository without a login.
Clone the public demo repository:
git clone -b main git@github.com/trustbroker-swiss/xtb-gitops-demo
cd xtb-gitops-demoBefore doing so you might want to have your own new signer (see SetupRP/ProfileRP Certificates for use):
cd trustbroker-inventories/DEMO/keystore/token-signer
./setup-signer.sh # my-subject my-passphrase
git commit -m "Created XTB signer" ./Import your initial trial repository:
git remote set-url origin ssh://git@localhost:222/trustbroker-swiss/xtb-gitops-demo.git
git push -u origin mainAlternatively, use HTTP:
git remote set-url origin http://git@localhost:3000/trustbroker-swiss/xtb-gitops-demo.git
git pushRun the services in the directory where you stored the tweaked docker-compose.yml and env-vault.conf using the following
run.sh:
#!/bin/bash
# Fast lane: Wire secrets into your docker-compose.yml and run it with 'docker-compose up' attached to console.
# Below we run it the correct way.
# get secrets
source env-vault.conf
# validate
[ ! -n "$STATECACHE_PASS" ] && echo "ERROR: STATECACHE_PASS undefined" && exit 1
[ ! -n "$PKI_PASSPHRASE" ] && echo "ERROR: PKI_PASSPHRASE undefined" && exit 1
if [ -z "$SSH_KEY" -a -z "$GIT_TOKEN" -a ! -r ssh/id_rsa -a ! -r ssh/git_token ]; then
echo "INFO: Assuming public access to $GIT_URL"
echo "HINT: GIT_TOKEN should be defined for private access via ENV or mapped to /etc/trustbroker/keys/git_token"
echo "HINT: SSH_KEY should be defined for private access via ENV or mapped to /etc/trustbroker/keys/id_rsa"
fi
# run service mesh in foreground
docker compose up
# run service mesh in background and follow trustbroker log
#docker compose up -d
#docker logs -f trustbrokerConfiguration
This section provides insights into the various configurations and their purpose.
All configuration files maintained in a git branch, XTB is started with, are pulled within one minute by a scheduled job.
To speed up experimenting or engineering configurations, run the reconfig.sh script on the side.
So the configuration workflow is as follows:
-
Run XTB with a
GIT_URLpointing to your GitOps repository (CONFIG_BRANCH=masteris default). -
Engineer your configuration and push them (the usual git add, commit, push workflow applies).
-
Wait until the console shows the reconfiguration or speed it up using the
reconfig.shscript mentioned at the end. -
Test your changes.
Global Settings
XTB is a spring-boot microservice running with a builtin application.yml for defaults and a spring.profiles.active=DEMO activated application.yml from the GitOps repository overriding or completing these defaults.
The following annotated demo file shows insights:
---
server:
tomcat:
threads: # scaling
max: 100
min-spare: 50
servlet:
session:
cookie:
name: BSESSION
ssl:
enabled: false
spring:
datasource:
url: ${spring.flyway.url}/${spring.flyway.schemas}
username: trustbroker
password: ${STATECACHE_PASS}
driverClassName: ${spring.flyway.driver-class-name}
hikari:
maximum-pool-size: 30 # we run 3 pods in PROD => 90 connections max on mariadb (max acceptable is 150 per default)
connection-timeout: 15000 # DB connection establish timeout in case of network problems (default: 30000ms = 10min)
minimum-idle: 3 # close connections being idle for idle-timeout except if we have too few afterwards
idle-timeout: 300000 # maximum connection idle time (default: 600000ms = 10min)
max-lifetime: 1800000 # maximum connection lifetime in the pool after close (default: 1800000ms = 30min, mariadb has 60min)
keepalive-time: 600000 # less than max-lifetime using connection-test-query to probe the DB (default: 0ms == disabled)
connection-test-query: select 1 from dual # probe DB according to keepalive-time
flyway:
enabled: true
url: jdbc:mariadb://mariadb:3306
user: root
password: ${STATECACHE_PASS}
schemas: TBSS16
driver-class-name: org.mariadb.jdbc.Driver
locations: [ classpath:db/migration/mariadb ]
baselineOnMigrate: true # force upgrading XTB schema even though the database is not empty
trustbroker:
config:
issuer: http://localhost:8090 # Issuer ID used to identify assertion/token issuer
perimeterUrl: ${trustbroker.config.issuer} # Override if network endpoint cannot be derived from issuer ID
adminSecret: 'trustbroker.config.adminSecret'
traceIdHeader: X-Request-Id # use edge infrastructure injected HTTP header to correlate all logs belonging to a request
sessionLifetimeSec: 1800 # 30min user login latency on CP/IDP
ssoSessionLifetimeSec: 43200 # 12h without re-auth when SSO enabled=true and not SAML forceAuthn=true or OIDC prompt=login
ssoMinQoaLevel: -2 # we allow SSO for any QOA level sent by CP i.e. unspecified having order# -1 is good enough
handleResponderErrors: false # Pass through CP/IDP SAML responder messages to CP/SP
# Allow access to some halfway public APIs usually not exposed on internet (header injected by network perimeter)
network:
networkHeader: 'X-ClientNetwork'
internetNetworkName: INTERNET
intranetNetworkName: INTRANET
# Support a global signer and the option to read multiple certs from a single keystore (including p12) by picking by name
signer:
signerCert: ${TRUSTBROKER_HOME}/configuration/latest/keystore/token-signer/keystore.pem
password: "${PKI_PASSPHRASE}"
rolloverSigner:
signerCert: ${TRUSTBROKER_HOME}/configuration/latest/keystore/token-signer/rollover-keystore.pem
password: "${PKI_PASSPHRASE}"
claimsMapping:
syncSchedule: '0 */1 * * * *' # check for git changes every 1min
stateCache:
reapSchedule: '30 * * * * *' # check every minute for collectable sessions (see spring CronExpression)
reapMaxDelaySec: 25 # randomize actual execution start in multiple instance deployments (K8S replicas)
targetMaxEntries: 104857 # may number of sessions before garbage collecting the oldest valid ones
minSessionLifetimeSec: ${trustbroker.config.sessionLifetimeSec}
secureBrowserHeaders: true # false required for OIDC when XTB runs on http instead of https
security: # some of the following checks can be configured in RelyingPartySecurityPolicies or ClaimsParty.SecurityPolicies
tokenLifetimeSec: 3600 # Assertion/Condition/Subject timestamp create/check, override on RP SecurityPolicies.notOnOrAfter
messageLifetimeSec: 28800 # AuthnRequest/Response/LogoutRequest IssueInstant timestamp check (accepted max)
notBeforeToleranceSec: -5 # NTP time drift accepted from peer for notBefore timestamps
notOnOrAfterToleranceSec: 5 # NTP time drift accepted from peer for notOnOrAfter timestamps
requireSignedAuthnRequest: true # CP/IDP per default expect signed request
requireSignedResponse: true # CP/IDP per default must sign response
requireSignedAssertion: true # CP/IDP per default must sign assertion within response
validateAuthnRequest: true # RP/SP per default must sign request
validateXmlSchema: true # Peers must comply to SAML protocol schemas pre default
validateAcs: false # Incoming AssertionConsumerURL is validated against ACWhitelist
validateRelayState: true # SAML RelayState is required and must match session
validateAudience: true # SAML audience is matched against XTB issuer if found
requireAudienceRestriction: false # Non-matching SAML audience results in an error
validateResponseIssuer: false # SAML response issuer must match ClaimsParty.id (recommended)
requireSubjectConfirmation: true # SAML responses must contain a SubjectConfirmation element
validateSubjectConfirmationTimestamp: true # Timestamps must be in range
validateSubjectConfirmationInResponseTo: true # SAML InResponseTo response attribute must match request ID
validateRequestIssueInstant: true # Check request IssueInstant timestamp against messageLifeTimeSec
validateRequestCondition: true # Check Condition before/after timestamps against tokenLifetimeSec and tolerances
validateResponseIssueInstant: true # Check IssueInstant timestamp against messageLifeTimeSec
validateAssertionIssueInstant: true # Check IssueInstant timestamp against messageLifeTimeSec
validateAuthnStatementIssueInstant: true # Check IssueInstant timestamp against messageLifeTimeSec
doSignAssertions: true # RP/SP responses must contain assertion signed by XTB
doSignSuccessResponse: true # RP/SP responses must be signed by XTB
doSignFailureResponse: true # RP/SP responders messages must be signed too
# global Qoa model defining the order, order then optional in SetupRP/SetupCP
qoa:
defaultQoa: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
strongestPossible: 'urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI'
mapping:
'[urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered]': 100
'[urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport]': 200
'[urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony]': 300
'[urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwareTimeSyncToken]': 300
'[urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos]': 400
'[urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI]': 500
'[urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract]': 500
'[urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken]': 500
'[urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI]': 600
saml:
consumerUrl: ${trustbroker.config.perimeterUrl}/api/v1/saml # SAML post protocol endpoint
artifactResolution:
serviceUrl: ${trustbroker.config.perimeterUrl}/api/v1/saml/arp # SAML artifact resolution protocol endpoint
index: 0
artifactLifetimeSecs: 60
artifactReapIntervalSecs: 300
persistentCache: true # store artifacts in sessiondb
truststore:
signerCert: ${TRUSTBROKER_HOME}/configuration/latest/keystore/outgoing-tls-trust/truststore.p12
password: "${PKI_PASSPHRASE}"
oidc:
issuer: "${trustbroker.config.issuer}" # iss claim setup
perimeterUrl: "${trustbroker.config.perimeterUrl}/login/saml2/sso" # XTB OIDC federation forward
sessionMode: IN_DB # use mariadb for state sharing
endSessionEndpoint: "${trustbroker.config.oidc.issuer}/logout"
sessionLifetimeSec: ${trustbroker.config.sessionLifetimeSec}
sessionCookie: true # set additional tracking cookie for clients to detect session termination
identityProvider:
assertionConsumerService: "${trustbroker.config.saml.consumerUrl}"
responseIssuerId: ${trustbroker.config.issuer}
signer:
signerCert: ${trustbroker.config.signer.signerCert}
password: ${trustbroker.config.signer.password}
keyEntryId: ${trustbroker.config.signer.keyEntryId}
samlEncrypt: false # encrypt SAML messages sent from XTB/SAML to XTB/OIDC (more SAMl attributes than OIDC claims
keySchedule: "0 0 1 * * *" # key rotation daily at 1 am (see spring CronExpression)
keyExpirationMinutes: 2880 # keys valid for 48 hours (requires clients to fetch keys at least once a day)
keyDeletionMinutes: 3000 # keys kept 2h longer in the database for debugging
defaultQoa: "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" # fallback for acr_values claims
# Globally customize /token and /userinfo output dropping technical claims (typ=JWT and iss=issuer we keep for now)
addTokenClaims: # used on /token endpoint to whitelist OIDC technical claims
- acr # auth context class refs
- aud # audience => client_id and other audiences
- auth_time # authorize time
- azp # authorized party => client_id
- exp # token expiration
- iat # token issued at
- iss # OIDC issuer ID
- jti # JSON token ID
- nbf # token valid not before
- nonce # message only once ID
- scope # claims selection
- session_state # OIDC session spec (future)
- sid # front channel logout session ID
- typ # keycloak specific token typing
removeUserInfoClaims: # used in /userinfo endpoint to blacklist OIDC technical claims (i.e. remove them from response)
- aud
- auth_time
- azp
- exp
- iat
- jti
- nbf
- nonce
- scope
- session_state
- sid
gui:
defaultLanguage: de # XTB supports de,fre,it,en per default
features:
- HEADER
- FOOTER
buttons:
- HELP_PANEL # or HELP_LINK
- LANGUAGE_SHORT # or LANGUAGE_LONG
themeCookie:
name: THEME
defaultValue: default
values:
- default
languageCookie:
name: LANG
skinnyHrdTriggers: # MSIE workaround using a hard-coded HRD handling instead of the standard application
- name: 'User-Agent'
regex: '.*Trident/7.*'
value: '/skinnyColHRD.html'
logging:
level:
root: INFO
swiss.trustbroker.script: DEBUGClaims Provider Definitions
This configuration defines the identification and visual aspects of CPs shown on the HRD screen. HRD (home realm discovery) provides the means for a user to select from multiple CPs one, where an onboarding was done and an account is available.
The HRD screen is not shown, when only one CPs is federated. The definition is necessary anyway. The DEMO setup uses the SAML mock in 2 instances.
<?xml version="1.0" encoding="utf-8"?>
<!-- Define the HRD tiles for the claims parties defined in SetupCP_*.xml -->
<ClaimsProviderDefinitions>
<ClaimsProvider name="SamlMock-1"
id="urn:trustbroker.swiss:idp:SAML-MOCK-1"
img="Tile_SAML-Mock.svg"
description="saml-mock-1"
shortcut="SM" color="#11AABB"
/>
<ClaimsProvider name="SamlMock-2"
id="urn:trustbroker.swiss:idp:SAML-MOCK-2"
img="Tile_SAML-Mock.svg"
description="saml-mock-2"
shortcut="SM2" color="#FFAA33"
/>
<ClaimsProvider name="SamlMock-2"
id="urn:trustbroker.swiss:idp:SAML-MOCK-3"
img="Tile_SAML-Mock-3.svg"
description="saml-mock-3"
shortcut="SM2" color="#FFAA33"
/>
</ClaimsProviderDefinitions>Single Sign On Groups
SSO groups provide a means to join multiple relying parties into a single login group during a period defined by the group. A login with the same CP is then not required anymore.
<?xml version="1.0" encoding="utf-8"?>
<!--
Define SSO groups and their lifecycle to join multiple relying parties into a single per CP login session:
- name: SSO group name used in RelyingParty.SSO element
- maxIdleTimeMinutes: Time until the SSO session expires without any interaction from any SSO participants
- maxSessionTimeMinutes: Time until the SSO session expires unconditionally
- maxCachingTimeMinutes: Set this one to the same value as maxSessionTimeMinutes (future feature may be)
-->
<SSOGroupSetup>
<SSOGroup name="SSO-GROUP-1"
maxIdleTimeMinutes="120"
maxSessionTimeMinutes="600"
maxCachingTimeMinutes="600"
/>
</SSOGroupSetup>Claims Party Setup
The SetupCP.xml defines the technical association with an CP.
It’s id must match the one in the ClaimsProviderDefinition.xml.
A trust anchor is required because SAML responses from an CP must be signed.
Assertion signing is optional but recommended.
The incoming assertion attributes are declared to also document the expected input from the CP.
<?xml version="1.0" encoding="utf-8"?>
<ClaimsProviderSetup>
<ClaimsParty id="urn:trustbroker.swiss:idp:SAML-MOCK-1">
<SSOUrl>http://localhost:7070/auth/saml2/idp/samples</SSOUrl>
<Certificates>
<SignerTruststore>
<CertPath>token-signer/keystore.pem</CertPath>
<Password>$PKI_PASSPHRASE</Password>
</SignerTruststore>
</Certificates>
<Saml>
<ArtifactBinding inboundMode="SUPPORTED" outboundMode="SUPPORTED"/>
</Saml>
<!-- CP attributes to be propagated -->
<AttributesSelection>
<Definition name="EMail" namespaceUri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"/>
<Definition name="FirstName" namespaceUri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"/>
<Definition name="FamilyName" namespaceUri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"/>
</AttributesSelection>
</ClaimsParty>
</ClaimsProviderSetup>Relying Party Profile
Profiles provide a mechanism to declare a template for multiple relying parties using the same protocols, claims definitions and mapping procedures.
The content of a ReylingParty declared in here needs to be correctly ordered according to the configuration schema (see
ReylingParty.java or the XSD files in the docker image).
The order reflects the processing model (see architecture) so reading a ProfileRP or SetupRP top down reflects which elements are used when processing the federation:
-
Input validation (issuer/client IDs, signatures using truststore, security policies affecting request processing)
-
Handling protocols (Saml, Oidc sections)
-
Applying XTB features (like SSO)
-
Dispatching towards CPs using ClaimsProviderMappings
-
On response from CP apply CP AttributesSelection filtering
-
Invoke IDM service applying list of configured IDMQuery (not shown in OSS yet)
-
On response to RP apply UserDetailsSelection (IDM source), PropertiesSelection (computed by scripts) and ClaimsSelection (towards OIDC) filtering
-
Scripts affect the overall processing and are last
<?xml version="1.0" encoding="utf-8"?>
<!-- A base profile defines defaults used by all RelyingParty setups referring to it -->
<RelyingParty>
<Certificates>
<!-- Signer towards all RPs -->
<SignerKeystore>
<CertPath>token-signer/keystore.pem</CertPath>
<Password>$PKI_PASSPHRASE</Password>
</SignerKeystore>
<!-- Fallback: We only trust ourselves -->
<SignerTruststore>
<CertPath>token-signer/keystore.pem</CertPath>
<Password>$PKI_PASSPHRASE</Password>
</SignerTruststore>
</Certificates>
<SecurityPolicies
notOnOrAfterSeconds="3600"
requireSignedAuthnRequest="true"
requireSignedLogoutRequest="true"
validateXmlSchema="true"
/>
<Oidc>
<Client id="template">
<!-- Access restrictions (development only) -->
<RedirectUris>
<ACUrl>https://oidcdebugger.com/debug</ACUrl>
<ACUrl>http://localhost:0/.*</ACUrl>
</RedirectUris>
<!-- PKCE code flow with requireProofKey=true and client authentication none -->
<OidcSecurityPolicies
requireProofKey="true"
tokenTimeToLiveMin="60"
refreshTokenTimeToLiveMin="60"
/>
<!-- Supported subset of https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest -->
<AuthorizationGrantTypes>
<GrantType>authorization_code</GrantType>
<GrantType>refresh_token</GrantType>
</AuthorizationGrantTypes>
<!-- Supported subset of https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication -->
<ClientAuthenticationMethods>
<Method>none</Method>
<Method>client_secret_basic</Method>
<Method>client_secret_post</Method>
</ClientAuthenticationMethods>
<!-- Scopes see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims -->
<Scopes>
<Scope>openid</Scope>
<Scope>profile</Scope>
<Scope>email</Scope>
</Scopes>
<!-- Claims see at https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims -->
<ClaimsSelection>
<Definition name="EMail" namespaceUri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
oidcNames="email" multiValued="STRING"/>
<Definition name="FirstName" namespaceUri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
oidcNames="given_name"/>
<Definition name="Name" namespaceUri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
oidcNames="family_name"/>
<Definition name="dateOfBirth" namespaceUri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth"
oidcNames="birthdate" multiValued="STRING" oidcMapper="TIME_EPOCH"/>
<Definition name="address" namespaceUri="address"
oidcNames="address"/>
<Definition name="displayName" namespaceUri="2.16.840.1.113730.3.1.241"
oidcNames="name" multiValued="LIST"/>
<Definition name="displayName" namespaceUri="2.16.840.1.113730.3.1.241"
oidcNames="name" multiValued="LIST"/>
</ClaimsSelection>
</Client>
</Oidc>
<Saml>
<ArtifactBinding inboundMode="SUPPORTED" outboundMode="SUPPORTED"/>
<!-- XML security defaults according to https://www.w3.org/TR/xmlsec-algorithms/ -->
<Signature>
<CanonicalizationAlgorithm>http://www.w3.org/2001/10/xml-exc-c14n#</CanonicalizationAlgorithm>
<SignatureMethodAlgorithm>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256</SignatureMethodAlgorithm>
<DigestMethod>http://www.w3.org/2001/04/xmlenc#sha256</DigestMethod>
</Signature>
</Saml>
<!-- SSO also is used in disabled mode so XTB knows where to send the LogoutResponse to -->
<SSO enabled="false" sloUrl="please-define-if-rp-does-saml-logouts"/>
<!-- Processing: Accepted incoming original issuer attributes -->
<AttributesSelection>
<Definition name="EMail" namespaceUri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"/>
<Definition name="FirstName" namespaceUri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"/>
<Definition name="FamilyName" namespaceUri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"/>
<Definition name="dateOfBirth" namespaceUri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth"/>
<Definition name="displayName" namespaceUri="2.16.840.1.113730.3.1.241"/>
<!-- CP is visible only in SAML OriginalIssuer in RP response. Make it visible as an OIDC claim. -->
<Definition name="HomeRealmHint" namespaceUri="HomeRealmHint" oidcNames="homerealmhint"/>
</AttributesSelection>
<!-- Processing: Attributes computed in groovy scripts. It's possible to use oidcNames declarations already on any selection definition. -->
<PropertiesSelection>
<!-- Computed birthdate can be picked exclusively (remove from AttributesSelection above, or in the groovy script. -->
<Definition name="displayName" namespaceUri="2.16.840.1.113730.3.1.241" oidcNames="name" multiValued="LIST"/>
<!-- ssoSessionId is an XTB specific claim that allows to identify the federation session source -->
<Definition name="ssoSessionId" namespaceUri="http://trustbroker.swiss/claims/ssoSessionId" oidcNames="ssoSessionId"/>
</PropertiesSelection>
<!-- Processing: All RP side hooks dumping provided request/response data -->
<Scripts>
<Script type="BeforeHrd">DebugRpRequest.groovy</Script>
<Script type="BeforeIdm">DebugCpResponse.groovy</Script>
<Script type="AfterIdm">DebugCpResponse.groovy</Script>
<Script type="OnToken">DebugCpResponse.groovy</Script>
<Script type="OnUserInfo">DebugCpResponse.groovy</Script>
</Scripts>
</RelyingParty>Relying Party Setup
The SetupRP.xml defines the federation with the SAML service provider or OIDC application client based on the ProfileRP.xml it refers to.
The profile is optional but recommended to reduce bad copy&paste habits and maintain site policies within few profiles. The merging is done at startup or when a git configuration change is detected. Broken configurations are ignored for resilience.
<?xml version="1.0" encoding="utf-8"?>
<!-- relying party setup showing the basics of non-SSO usage -->
<RelyingPartySetup>
<RelyingParty id="urn:trustbroker.swiss:sp:DEMO-RP-1" base="ProfileRP_DemoDefaults.xml">
<ACWhitelist>
<ACUrl>http://localhost:7070/authn/consumer</ACUrl>
</ACWhitelist>
<Saml>
<ProtocolEndpoints>
<MetadataUrl>http://localhost:7070/saml/metadata</MetadataUrl>
<ArtifactResolutionUrl>http://localhost:7070/authn/arp</ArtifactResolutionUrl>
<ArtifactResolutionIndex>0</ArtifactResolutionIndex>
</ProtocolEndpoints>
<ArtifactBinding inboundMode="SUPPORTED" outboundMode="SUPPORTED"/>
</Saml>
<SSO enabled="false" sloUrl="http://localhost:7070/auth/saml/slo"/>
<ClaimsProviderMappings>
<ClaimsProvider id="urn:trustbroker.swiss:idp:SAML-MOCK-1"/>
<ClaimsProvider id="urn:trustbroker.swiss:idp:SAML-MOCK-2"/>
<ClaimsProvider id="urn:trustbroker.swiss:idp:SAML-MOCK-3"/>
<!-- invisible but addressable CP, remove the previous entry to make SAML-MOCK-3 invisible on the HRD screen -->
<ClaimsProvider id="urn:trustbroker.swiss:idp:SAML-MOCK-3" relyingPartyAlias="urn:trustbroker.swiss:sp:DEMO-RP-3"/>
</ClaimsProviderMappings>
<Scripts>
<Script type="BeforeHrd">HrdAutoSelectClaimsProvider.groovy</Script>
<Script type="AfterIdm">ComputeDerivedAttributes.groovy</Script>
</Scripts>
</RelyingParty>
</RelyingPartySetup>Qoa Setup
XTB can do Qoa (acr) checking and enforcement mapping authentication context classes on CP and RP side.
The Qoa model is configured in 3 areas: - A global model can be defined in the trustbroker.config.qoa section so the SetupRP/SetupCP Qoa sections do not need to define the order number (specifying which ACClass is stronger than another). - SetupRP defines defaults an RP requires (assuming default comparison type exact). This list is used when the RP does not send any requirements or it’s used to validate incoming requirements. - SetupCP defines what the federated IdP supports and is used for outbound mapping (using the internal order numbers) and also to validate, what the CP returns.
RP Qoa example (validating/mapping inbound acr value and mapping back outbound values):
<?xml version="1.0" encoding="utf-8"?>
<RelyingPartySetup>
<RelyingParty id="urn:trustbroker.swiss:sp:QOA-RP-2" base="ProfileRP_DemoDefaults.xml">
<ACWhitelist>
<ACUrl>http://localhost:7070/authn/consumer</ACUrl>
</ACWhitelist>
<SSO enabled="false" sloUrl="http://localhost:7070/auth/saml/slo"/>
<ClaimsProviderMappings>
<ClaimsProvider id="urn:trustbroker.swiss:idp:SAML-MOCK-2"/>
</ClaimsProviderMappings>
<Qoa enforce="true">
<!-- Accepted Qoa names sent by RPs, order number is optional if trustbroker.config.qoa defines a global model -->
<ACClass order="099">qoa-099-custom</ACClass>
<ACClass order="100">urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered</ACClass>
<ACClass order="200">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ACClass>
<ACClass order="300">urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony</ACClass>
<ACClass order="301">urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwareTimeSyncToken</ACClass>
<ACClass order="400">urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</ACClass>
<ACClass order="500">urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI</ACClass>
<ACClass order="501">urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</ACClass>
<ACClass order="502">urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</ACClass>
<ACClass order="600">urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneSmartcardPKIFactorUnregistered</ACClass>
</Qoa>
</RelyingParty>
</RelyingPartySetup>CP Qoa example (mapping inbound acr values and validating/mapping outbound values):
<?xml version="1.0" encoding="utf-8"?>
<ClaimsProviderSetup>
<ClaimsParty id="urn:trustbroker.swiss:idp:SAML-MOCK-2">
<SSOUrl>http://localhost:7070/auth/saml2/idp/samples</SSOUrl>
<Certificates>
<SignerTruststore>
<CertPath>token-signer/keystore.pem</CertPath>
<Password>$PKI_PASSPHRASE</Password>
</SignerTruststore>
</Certificates>
<SecurityPolicies
requireSignedResponse="true"
validateXmlSchema="true"
/>
<Saml>
<ArtifactBinding inboundMode="SUPPORTED" outboundMode="SUPPORTED"/>
</Saml>
<!-- use another claim as NameID on CP side -->
<SubjectNameMappings preserve="false">
<SubjectName
issuer="urn:trustbroker.swiss:idp:SAML-MOCK-2"
source="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
/>
</SubjectNameMappings>
<!-- CP-side QoA supported mapped from RP-side context classes (100 and 600 not supported by CP) -->
<!-- SAML comparisonType=exact is default, minimum is used when RP does not send it, -->
<Qoa enforce="true" comparison="minimum">
<ACClass order="099">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ACClass>
<ACClass order="200">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ACClass>
<ACClass order="300">urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</ACClass>
<ACClass order="301">urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</ACClass>
<ACClass order="400">urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</ACClass>
<ACClass order="500">urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</ACClass>
<ACClass order="501">urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</ACClass>
</Qoa>
<!-- CP attributes to be propagated -->
<AttributesSelection>
<Definition name="EMail" namespaceUri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"/>
<Definition name="FirstName" namespaceUri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"/>
<Definition name="FamilyName" namespaceUri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"/>
<!-- https://schemas.xmlsoap.org/ws/2005/05/identity/Identity_Selector_Interoperability_Profile_V1.5.pdf -->
<Definition name="dateOfBirth" namespaceUri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth"/>
<!-- https://docs.ldap.com/specs/rfc2798.txt (source 1) -->
<Definition name="displayName" namespaceUri="2.16.840.1.113730.3.1.241"/>
<!-- IDP sending HRD name for some users -->
<Definition name="HomeRealmHint" namespaceUri="HomeRealmHint"/>
</AttributesSelection>
<Scripts>
<!-- Incoming from CP we can already validate and compute some derived claims -->
<Script type="BeforeIdm">ComputeDerivedAttributes.groovy</Script>
</Scripts>
</ClaimsParty>
</ClaimsProviderSetup>PKI Setup
OIDC
OIDC uses automatically generated keys that are rotated (per default) weekly.
Clients not checking the JWKS endpoint:
-
when the kid claim in the header does not match the local key set.
-
periodically but at least once a week
might run into JWT signature verification problems. Key rotation settings need to be tuned in this case in the global configuration (see above). It’s recommended to fix the client instead.
XTB fetches and caches OIDC CP metadata on start-up and updates it periodically or when a key is referenced that is not cached.
SAML
XTB supports various keystore formats, but we recommend the first 2:
-
keystore.pem: OpenSSL PEM formatted certificate along with the private RSA key, protected by the PKI_PASSPHRASE from the runtime environment (K8S secret, CO vault) -
truststore.pem: The same but no private key in their. This one instead might contain multiple trusted certificates (e.g. when the peer is in the process of replacing its signer) -
keystore.p12: PKCS12 keystores with or without private keys. -
keystore.jks: Java keystores are fast but not recommended, use one of the other formats.
Tools to work with keystores:
-
openssl
-
keytool (mainly to read JKS and transfer private keys into PKCS12 files for openssl handling)
Please check the installation documentation for signer generation.
Groovy Scripts
Setup and profile configurations can refer to groovy scripts to customize federation data and flow. Check the scripting section for insights.
UI Setup
XTB has a small frontend for various purposes, mainly HRD (see above) and error display.
The following can be customized:
-
config: The global settings contain a few UI influencing settings (e.g. the site specific language cookie, if the browser language shall be overruled)
-
translations: Texts for languages
de,fr,enandit. -
images: The tile images used on the HRD screen and declared in the ClaimsProviderDefinition.xml (see above)
-
assets: The theme resources to provide a corporate identity (icons, style, logo)
Text handling:
-
Text keys can be found in
trustbroker-frontend/src(look for the ng translate items). -
Texts are maintained in texts.json for convenience and can be exchanged as texts.csv for translation services.
-
The
text2json.pyscript checks the maintained master file and generates the derivedde/fr/en/it.jsontranslations.
Theme Customizing
See xtb-gitops-demo for assets and check the CSS to see if the styling of the interactive parts of XTB (usually HRD and error screen) fits your needs.
Reconfiguration Process
On first time use the repository is cloned into the configCache.
XTB from then on checks the GitOps repository for changes and if commits are detected:
-
git pull the changes in
configCache -
copy the selected stage profile into configuration/new
-
validate the configuration
-
if ok activate the configuration by swapping latest configuration into the previous one and the new one takes its place.
This allows to diff latest against previous to see what changed.
Changes are also INFO logged in the console.
During development the following script speeds up the re-configuration process:
#!/bin/bash
# Script allows to speed up the configuration loading on XTB.
PERIOD=${1:-5}
while [ true ]; do
curl -k -X POST http://localhost:8090/api/v1/config \
-H 'Content-Type: application/json' \
-d '{"action":"reload","adminSecret":"trustbroker.config.adminSecret"}'
sleep $PERIOD
done
Scripting
XTB supports scripting within the federation processing for various purposes (see processing model in the architecture section).
The scripting engine is Groovy based on the underlying Java libraries.
This allows a wide range of manipulations so make sure that the code you are injecting via scripts meets security requirements, specifically:
-
Input validation on the values that are processed.
-
Manipulating identity (specifically
CPRepsonse.nameId) and authorization attributes (e.g. roles claims) as required. -
Establish a review process via pull requests in your GitOps repository.
LOG
The LOG object allows access to the logging facility using the SLF4J API. You can use error, warn, info, debug and trace methods with parameter binding:
// Purpose: Dump bound SP request date to console (bindings, see ScriptService.java)
// Note: Consider documentation and RPRequest.java members that should be used in scripts.
LOG.debug("DEMO: Process federation request from referer {}", HTTPRequest.getHeader("Referer"))
LOG.trace("DEMO RPRequest: {}", RPRequest)RPRequest
The RPRequest object is bound to computationally influence in-bound messages, specifically:
-
Deciding on home realm discovery (HRD) routing based on the HTTP or SAML/OIDC protocol (you can drop or retain CPs).
-
Handling authentication context class mappings towards claims providers (you can validate and map RPRequest.contextClasses on the way to the CP).
Example:
// Purpose: Show how user-agent context can be used to do IDP dispatching automatically.
// Example: Loadbalancer injecting a network identifier on the network perimeter.
// Security: Either loadbalancer shields the header or IDPs we forward to are save themselves.
strongIdp = "urn:trustbroker.swiss:idp:SAML-MOCK-2"
strongQoa = "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"
def isMobileStrongAuthOnly(rpRequest) {
return rpRequest.contextClasses && rpRequest.contextClasses.size() == 1 && rpRequest.contextClasses.contains(strongQoa)
}
if (RPRequest.getClaimsProviders().size() > 1) {
def networkDetected = HTTPRequest.getHeader("X-ClientNetwork")
LOG.debug("Checking automatic HRD for rpIssuer={} with qoa={} from network={} towards cpMappings='{}'",
RPRequest.rpIssuer, RPRequest.contextClasses, networkDetected, RPRequest.claimsProviders)
if (isMobileStrongAuthOnly(RPRequest) || "INTRANET".equals(networkDetected)) {
RPRequest.retainClaimsProvider(strongIdp)
LOG.info("Automatic HRD for rpIssuer={} with qoa={} from network={} towards cpMappings='{}'",
RPRequest.rpIssuer, RPRequest.contextClasses, networkDetected, RPRequest.claimsProviders)
}
}HTTPRequest
Along the RPRequest a groovy script has access to the HTTP request using the JSR340 API.
CPRepsonse
The CPRepsonse object is bound to handle claims provider responses and manipulate the relying party responses during the phases documented in the Architecture.
These members are of interest for mapping between CP and RP:
-
nameId: The subject name identifier passed as the authentication result from the CP, also represented internally as the NameId 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' attribute.
-
nameIdFormat: Some relying parties care about the SAML name identifier format to assert a certain authentication quality. This allows to overrule what the CP has decided in case of integration problems.
-
contextClasses: Like on the
RPRequest(requested authentication context class references, in short QoA) the CP should respond with one of the requested QoA.
There are the following members to get and set claims:
-
attributes: They come from the CPs and are sent to RPs with an OriginalIssuer=CP-IssuerID
-
userDetails: XTB has an
IdmQueryServiceabstraction. Claims from such user registries should use this to store claims. -
properties: Groovy scripts computing derived claims should store them here so the
SetupRP/ProfileRPconfiguration show the contract properly. -
claims: These are the OIDC attributes used for OIDC token assembly
The names correspond to the selection 'Definition' lists in the configuration and are associated as follows:
-
CPResponseholds the actual data based on the definition objects in the configuration -
Definition are copies including the value list and are used to generate the SAML attribute or OIDC claim output
The debug script shown at the beginning will expose all this data on TRACE level.
Please be careful what you use. If not mentioned in this section, you might produce some unwanted results.
// Purpose: Show how OIDC claim enrichment and structured claim assembly works.
// Note: Implements https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim
// some IDP provided attributes
givenName = "" + CPResponse.getAttribute("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname")
familiyName = "" + CPResponse.getAttribute("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname")
// derive OIDC displayName from SAML incoming attributes as OIDC claim only
CPResponse.addClaim("name", givenName + " " + familiyName + " (source:3)")
// derive address from SAML attributes and construct new claim without honoring incoming request scopes
if (CPResponse.oidcScopes && CPResponse.oidcScopes.contains("openid")) {
CPResponse.addJsonClaim("address", "street_address", "123 " + familiyName + " Street")
CPResponse.addJsonClaim("address", "locality", "St. " + familiyName)
CPResponse.addJsonClaim("address", "postal_code", "9999")
CPResponse.addJsonClaim("address", "country", "Switzerland")
LOG.info("OnToken hook attached a fake address for clientId={} scopes='{}'", CPResponse.oidcClientId, CPResponse.oidcScopes)
}Plugin APIs
XTB provides various API hooks for implementing certain features.
They are defined in the trustbroker-api module.
| API | Purpose | Status |
|---|---|---|
|
Interface for accessing an Identity Management (IDM) service. E.g. an implementation could use LDAP or a custom API of the IDM. |
Stable |
|
Home realm discovery related customizations. |
Stable |
|
Service for mapping between string based authentication levels / quality of authentication to numerical levels. |
Stable |
AttributeInitializer |
Interface used for configuring custom sets of attributes in the |
Stable |
|
A service to render SAML requests and responses. An implementation is provided by |
May still change - |
|
Announcements can be shown e.g. for operational purposes. |
Preliminary, may still change |
|
A user that has different profiles may need to select the profile to use for authentication. Note: The related OIDC feature |
Preliminary, may still change |
|
Access request triggers onboarding of a user to an application due to a missing role. |
Preliminary, may still change |
Modules
XTB consists of the following modules:
| Module | Java Package | Content |
|---|---|---|
|
|
|
|
|
Classes used by tests of other modules. |
|
|
Classes shared between |
|
|
Service for integrating WS-Trust. |
|
|
The core services of XTB. |
|
|
Configuration XML schema generated from DTO classes representing the configuration model for external use. |
|
|
The XTB Spring Boot application |
|
N/A |
Angular-based frontend |
|
|
Mock for testing SAML exchanges based on recorded or hand-crafted messages. |
|
|
Mock for testing OICD interaction. |
|
N/A |
Docker image creation. |
|
N/A |
This AsciiDoc documentation. |
|
N/A |
GIT repository with sample XTB configuration. |
Credits
The following open source projects are used by XTB with big thanks:
| OSS Project | License | Remarks |
|---|---|---|
Alpine linux |
MIT |
https://github.com/alpinelinux/docker-alpine/blob/master/LICENSE |
Angular |
MIT |
|
keycloak.js |
Red Hat Apache-2.0 |
https://github.com/keycloak/keycloak/blob/main/js/libs/keycloak-js/src/keycloak.js. Migration use case only. We prefer you package this with your client ao we can remove it. |
org.opensaml |
GPL-2 |
|
spring-authorization-server |
Apache-2.0 |
https://github.com/spring-projects/spring-authorization-server/blob/main/LICENSE.txt |
zulu-openjdk-alpine |
GPL-2 |
https://docs.azul.com/core/tpls/january-2024/zulu17_tpl.html |
org.apache.wss4j.wss4j-ws-security-common |
Apache-2.0 |
|
Eclipse JGit TM |
Eclipse Distribution License - v 1.0 |
Derivative work is marked in the source as such, along with the original licenses.
All the license details of the Alpine and Java assembly you can find in the SBOM below.
License
XTB itself is licensed under GNU AFFERO GENERAL PUBLIC LICENSE Version 3.
Contributions
Input and contributions to the XTB projects are considered according to:
Software Bill of Material
Library licenses in detail (SBOM report from XRay used for vulnerability checking along Trivy and Sonar scans):
| Component Name | Licenses | Licenses Links | Package Type | Component Id | Package Id | Version |
|---|---|---|---|---|---|---|
3.20:alpine-baselayout |
GPL-2.0-only |
http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html |
alpine |
3.20:alpine-baselayout:3.6.5-r0 |
alpine://3.20:alpine-baselayout |
3.6.5-r0 |
3.20:alpine-baselayout-data |
GPL-2.0-only |
http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html |
alpine |
3.20:alpine-baselayout-data:3.6.5-r0 |
alpine://3.20:alpine-baselayout-data |
3.6.5-r0 |
3.20:alpine-keys |
Unknown |
alpine |
3.20:alpine-keys:2.4-r1 |
alpine://3.20:alpine-keys |
2.4-r1 |
|
3.20:alsa-lib |
Unknown |
alpine |
3.20:alsa-lib:1.2.11-r0 |
alpine://3.20:alsa-lib |
1.2.11-r0 |
|
3.20:apk-tools |
GPL-2.0-only |
http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html |
alpine |
3.20:apk-tools:2.14.4-r1 |
alpine://3.20:apk-tools |
2.14.4-r1 |
3.20:busybox |
GPL-2.0-only |
http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html |
alpine |
3.20:busybox:1.36.1-r29 |
alpine://3.20:busybox |
1.36.1-r29 |
3.20:busybox-binsh |
GPL-2.0-only |
http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html |
alpine |
3.20:busybox-binsh:1.36.1-r29 |
alpine://3.20:busybox-binsh |
1.36.1-r29 |
3.20:ca-certificates-bundle |
MIT |
alpine |
3.20:ca-certificates-bundle:20241121-r1 |
alpine://3.20:ca-certificates-bundle |
20241121-r1 |
|
3.20:java-common |
Unknown |
alpine |
3.20:java-common:0.5-r0 |
alpine://3.20:java-common |
0.5-r0 |
|
3.20:libbsd |
Unknown |
alpine |
3.20:libbsd:0.12.2-r0 |
alpine://3.20:libbsd |
0.12.2-r0 |
|
3.20:libcrypto3 |
Apache-2.0 |
alpine |
3.20:libcrypto3:3.3.3-r0 |
alpine://3.20:libcrypto3 |
3.3.3-r0 |
|
3.20:libmd |
Unknown |
alpine |
3.20:libmd:1.1.0-r0 |
alpine://3.20:libmd |
1.1.0-r0 |
|
3.20:libssl3 |
Apache-2.0 |
alpine |
3.20:libssl3:3.3.3-r0 |
alpine://3.20:libssl3 |
3.3.3-r0 |
|
3.20:libx11 |
Unknown |
alpine |
3.20:libx11:1.8.9-r1 |
alpine://3.20:libx11 |
1.8.9-r1 |
|
3.20:libxau |
Unknown |
alpine |
3.20:libxau:1.0.11-r4 |
alpine://3.20:libxau |
1.0.11-r4 |
|
3.20:libxcb |
Unknown |
alpine |
3.20:libxcb:1.16.1-r0 |
alpine://3.20:libxcb |
1.16.1-r0 |
|
3.20:libxdmcp |
Unknown |
alpine |
3.20:libxdmcp:1.1.5-r1 |
alpine://3.20:libxdmcp |
1.1.5-r1 |
|
3.20:libxext |
Unknown |
alpine |
3.20:libxext:1.3.6-r2 |
alpine://3.20:libxext |
1.3.6-r2 |
|
3.20:libxi |
Unknown |
alpine |
3.20:libxi:1.8.1-r4 |
alpine://3.20:libxi |
1.8.1-r4 |
|
3.20:libxrender |
Unknown |
alpine |
3.20:libxrender:0.9.11-r5 |
alpine://3.20:libxrender |
0.9.11-r5 |
|
3.20:libxtst |
Unknown |
alpine |
3.20:libxtst:1.2.4-r6 |
alpine://3.20:libxtst |
1.2.4-r6 |
|
3.20:musl |
MIT |
alpine |
3.20:musl:1.2.5-r1 |
alpine://3.20:musl |
1.2.5-r1 |
|
3.20:musl-utils |
BSD-2-Clause,MIT |
http://opensource.org/licenses/BSD-2-Clause,http://www.opensource.org/licenses/MIT |
alpine |
3.20:musl-utils:1.2.5-r1 |
alpine://3.20:musl-utils |
1.2.5-r1 |
3.20:scanelf |
Unknown |
alpine |
3.20:scanelf:1.3.7-r2 |
alpine://3.20:scanelf |
1.3.7-r2 |
|
3.20:ssl_client |
GPL-2.0-only |
http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html |
alpine |
3.20:ssl_client:1.36.1-r29 |
alpine://3.20:ssl_client |
1.36.1-r29 |
3.20:tzdata |
Public Domain |
alpine |
3.20:tzdata:2025b-r0 |
alpine://3.20:tzdata |
2025b-r0 |
|
3.20:zlib |
Unknown |
alpine |
3.20:zlib:1.3.1-r1 |
alpine://3.20:zlib |
1.3.1-r1 |
|
3.20:zulu17-ca-jdk |
GPL-2.0-only |
http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html |
alpine |
3.20:zulu17-ca-jdk:17.0.15-r1 |
alpine://3.20:zulu17-ca-jdk |
17.0.15-r1 |
3.20:zulu17-ca-jdk-headless |
GPL-2.0-only |
http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html |
alpine |
3.20:zulu17-ca-jdk-headless:17.0.15-r1 |
alpine://3.20:zulu17-ca-jdk-headless |
17.0.15-r1 |
3.20:zulu17-ca-jre |
GPL-2.0-only |
http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html |
alpine |
3.20:zulu17-ca-jre:17.0.15-r1 |
alpine://3.20:zulu17-ca-jre |
17.0.15-r1 |
3.20:zulu17-ca-jre-headless |
GPL-2.0-only |
http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html |
alpine |
3.20:zulu17-ca-jre-headless:17.0.15-r1 |
alpine://3.20:zulu17-ca-jre-headless |
17.0.15-r1 |
3.20:zulu17-jdk |
GPL-2.0-only |
http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html |
alpine |
3.20:zulu17-jdk:17.0.15-r1 |
alpine://3.20:zulu17-jdk |
17.0.15-r1 |
3.20:zulu17-jdk-headless |
GPL-2.0-only |
http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html |
alpine |
3.20:zulu17-jdk-headless:17.0.15-r1 |
alpine://3.20:zulu17-jdk-headless |
17.0.15-r1 |
3.20:zulu17-jre |
GPL-2.0-only |
http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html |
alpine |
3.20:zulu17-jre:17.0.15-r1 |
alpine://3.20:zulu17-jre |
17.0.15-r1 |
3.20:zulu17-jre-headless |
GPL-2.0-only |
http://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html |
alpine |
3.20:zulu17-jre-headless:17.0.15-r1 |
alpine://3.20:zulu17-jre-headless |
17.0.15-r1 |
ch.qos.logback:logback-classic |
EPL-1.0,LGPL-2.1 |
maven |
ch.qos.logback:logback-classic:1.5.18 |
gav://ch.qos.logback:logback-classic |
1.5.18 |
|
ch.qos.logback:logback-core |
EPL-1.0,LGPL-2.1 |
maven |
ch.qos.logback:logback-core:1.5.18 |
gav://ch.qos.logback:logback-core |
1.5.18 |
|
com.fasterxml.jackson.core:jackson-annotations |
Apache-2.0 |
maven |
com.fasterxml.jackson.core:jackson-annotations:2.18.3 |
gav://com.fasterxml.jackson.core:jackson-annotations |
2.18.3 |
|
com.fasterxml.jackson.core:jackson-core |
Apache-2.0 |
maven |
com.fasterxml.jackson.core:jackson-core:2.18.3 |
gav://com.fasterxml.jackson.core:jackson-core |
2.18.3 |
|
com.fasterxml.jackson.core:jackson-databind |
Apache-2.0 |
maven |
com.fasterxml.jackson.core:jackson-databind:2.18.3 |
gav://com.fasterxml.jackson.core:jackson-databind |
2.18.3 |
|
com.fasterxml.jackson.dataformat:jackson-dataformat-toml |
Apache-2.0 |
maven |
com.fasterxml.jackson.dataformat:jackson-dataformat-toml:2.18.3 |
gav://com.fasterxml.jackson.dataformat:jackson-dataformat-toml |
2.18.3 |
|
com.fasterxml.jackson.datatype:jackson-datatype-jdk8 |
Apache-2.0 |
maven |
com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.18.3 |
gav://com.fasterxml.jackson.datatype:jackson-datatype-jdk8 |
2.18.3 |
|
com.fasterxml.jackson.datatype:jackson-datatype-jsr310 |
Apache-2.0 |
maven |
com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.18.3 |
gav://com.fasterxml.jackson.datatype:jackson-datatype-jsr310 |
2.18.3 |
|
com.fasterxml.jackson.module:jackson-module-parameter-names |
Apache-2.0 |
maven |
com.fasterxml.jackson.module:jackson-module-parameter-names:2.18.3 |
gav://com.fasterxml.jackson.module:jackson-module-parameter-names |
2.18.3 |
|
com.fasterxml:classmate |
Apache-2.0 |
maven |
com.fasterxml:classmate:1.7.0 |
gav://com.fasterxml:classmate |
1.7.0 |
|
com.github.ben-manes.caffeine:caffeine |
Apache-2.0 |
maven |
com.github.ben-manes.caffeine:caffeine:3.1.8 |
gav://com.github.ben-manes.caffeine:caffeine |
3.1.8 |
|
com.github.stephenc.jcip:jcip-annotations |
Apache-2.0 |
maven |
com.github.stephenc.jcip:jcip-annotations:1.0-1 |
gav://com.github.stephenc.jcip:jcip-annotations |
1.0-1 |
|
com.github.waffle:waffle-jna |
JSON,MIT |
http://www.json.org/license.html,http://www.opensource.org/licenses/MIT |
maven |
com.github.waffle:waffle-jna:3.3.0 |
gav://com.github.waffle:waffle-jna |
3.3.0 |
com.google.code.findbugs:jsr305 |
Apache-2.0 |
maven |
com.google.code.findbugs:jsr305:3.0.2 |
gav://com.google.code.findbugs:jsr305 |
3.0.2 |
|
com.google.code.gson:gson |
Apache-2.0 |
maven |
com.google.code.gson:gson:2.11.0 |
gav://com.google.code.gson:gson |
2.11.0 |
|
com.google.errorprone:error_prone_annotations |
Apache-2.0 |
maven |
com.google.errorprone:error_prone_annotations:2.23.0 |
gav://com.google.errorprone:error_prone_annotations |
2.23.0 |
|
com.google.guava:failureaccess |
Apache-2.0 |
maven |
com.google.guava:failureaccess:1.0.2 |
gav://com.google.guava:failureaccess |
1.0.2 |
|
com.google.guava:guava |
Apache-2.0 |
maven |
com.google.guava:guava:33.0.0-jre |
gav://com.google.guava:guava |
33.0.0-jre |
|
com.google.guava:listenablefuture |
Apache-2.0 |
maven |
com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava |
gav://com.google.guava:listenablefuture |
9999.0-empty-to-avoid-conflict-with-guava |
|
com.googlecode.javaewah:JavaEWAH |
Apache-2.0 |
maven |
com.googlecode.javaewah:JavaEWAH:1.2.3 |
gav://com.googlecode.javaewah:JavaEWAH |
1.2.3 |
|
com.h2database:h2 |
EPL-1.0,MPL-2.0 |
http://www.eclipse.org/legal/epl-v10.html,http://opensource.org/licenses/MPL-2.0 |
maven |
com.h2database:h2:2.3.232 |
gav://com.h2database:h2 |
2.3.232 |
com.nimbusds:nimbus-jose-jwt |
Apache-2.0 |
maven |
com.nimbusds:nimbus-jose-jwt:9.43 |
gav://com.nimbusds:nimbus-jose-jwt |
9.43 |
|
com.sun.istack:istack-commons-runtime |
EPL-1.0 |
maven |
com.sun.istack:istack-commons-runtime:4.1.2 |
gav://com.sun.istack:istack-commons-runtime |
4.1.2 |
|
com.sun.xml.messaging.saaj:saaj-impl |
BSD-3-Clause |
maven |
com.sun.xml.messaging.saaj:saaj-impl:3.0.4 |
gav://com.sun.xml.messaging.saaj:saaj-impl |
3.0.4 |
|
com.zaxxer:HikariCP |
Apache-2.0 |
maven |
com.zaxxer:HikariCP:5.1.0 |
gav://com.zaxxer:HikariCP |
5.1.0 |
|
commons-beanutils:commons-beanutils |
Apache-2.0 |
maven |
commons-beanutils:commons-beanutils:1.9.4 |
gav://commons-beanutils:commons-beanutils |
1.9.4 |
|
commons-codec:commons-codec |
Apache-2.0 |
maven |
commons-codec:commons-codec:1.17.2 |
gav://commons-codec:commons-codec |
1.17.2 |
|
commons-collections:commons-collections |
Apache-2.0 |
maven |
commons-collections:commons-collections:3.2.2 |
gav://commons-collections:commons-collections |
3.2.2 |
|
commons-io:commons-io |
Apache-2.0 |
maven |
commons-io:commons-io:2.17.0 |
gav://commons-io:commons-io |
2.17.0 |
|
commons-logging:commons-logging |
Apache-2.0 |
maven |
commons-logging:commons-logging:1.2 |
gav://commons-logging:commons-logging |
1.2 |
|
io.dropwizard.metrics:metrics-core |
Apache-2.0 |
maven |
io.dropwizard.metrics:metrics-core:4.2.26 |
gav://io.dropwizard.metrics:metrics-core |
4.2.26 |
|
io.dropwizard.metrics:metrics-json |
Apache-2.0 |
maven |
io.dropwizard.metrics:metrics-json:4.2.26 |
gav://io.dropwizard.metrics:metrics-json |
4.2.26 |
|
io.micrometer:micrometer-commons |
Apache-2.0 |
maven |
io.micrometer:micrometer-commons:1.14.6 |
gav://io.micrometer:micrometer-commons |
1.14.6 |
|
io.micrometer:micrometer-core |
Apache-2.0 |
maven |
io.micrometer:micrometer-core:1.14.6 |
gav://io.micrometer:micrometer-core |
1.14.6 |
|
io.micrometer:micrometer-jakarta9 |
Apache-2.0 |
maven |
io.micrometer:micrometer-jakarta9:1.14.6 |
gav://io.micrometer:micrometer-jakarta9 |
1.14.6 |
|
io.micrometer:micrometer-observation |
Apache-2.0 |
maven |
io.micrometer:micrometer-observation:1.14.6 |
gav://io.micrometer:micrometer-observation |
1.14.6 |
|
io.micrometer:micrometer-registry-prometheus |
Apache-2.0 |
maven |
io.micrometer:micrometer-registry-prometheus:1.13.2 |
gav://io.micrometer:micrometer-registry-prometheus |
1.13.2 |
|
io.prometheus:prometheus-metrics-config |
Apache-2.0 |
maven |
io.prometheus:prometheus-metrics-config:1.3.6 |
gav://io.prometheus:prometheus-metrics-config |
1.3.6 |
|
io.prometheus:prometheus-metrics-core |
Apache-2.0 |
maven |
io.prometheus:prometheus-metrics-core:1.3.6 |
gav://io.prometheus:prometheus-metrics-core |
1.3.6 |
|
io.prometheus:prometheus-metrics-exposition-formats |
Apache-2.0 |
maven |
io.prometheus:prometheus-metrics-exposition-formats:1.3.6 |
gav://io.prometheus:prometheus-metrics-exposition-formats |
1.3.6 |
|
io.prometheus:prometheus-metrics-exposition-textformats |
Unknown |
maven |
io.prometheus:prometheus-metrics-exposition-textformats:1.3.6 |
gav://io.prometheus:prometheus-metrics-exposition-textformats |
1.3.6 |
|
io.prometheus:prometheus-metrics-model |
Apache-2.0 |
maven |
io.prometheus:prometheus-metrics-model:1.3.6 |
gav://io.prometheus:prometheus-metrics-model |
1.3.6 |
|
io.prometheus:prometheus-metrics-tracer-common |
Apache-2.0 |
maven |
io.prometheus:prometheus-metrics-tracer-common:1.3.6 |
gav://io.prometheus:prometheus-metrics-tracer-common |
1.3.6 |
|
io.smallrye:jandex |
Apache-2.0 |
maven |
io.smallrye:jandex:3.2.0 |
gav://io.smallrye:jandex |
3.2.0 |
|
jakarta.activation:jakarta.activation-api |
BSD-3-Clause |
maven |
jakarta.activation:jakarta.activation-api:2.1.3 |
gav://jakarta.activation:jakarta.activation-api |
2.1.3 |
|
jakarta.annotation:jakarta.annotation-api |
EPL-2.0 |
maven |
jakarta.annotation:jakarta.annotation-api:2.1.1 |
gav://jakarta.annotation:jakarta.annotation-api |
2.1.1 |
|
jakarta.inject:jakarta.inject-api |
Apache-2.0 |
maven |
jakarta.inject:jakarta.inject-api:2.0.1 |
gav://jakarta.inject:jakarta.inject-api |
2.0.1 |
|
jakarta.mail:jakarta.mail-api |
BSD-3-Clause |
maven |
jakarta.mail:jakarta.mail-api:2.1.3 |
gav://jakarta.mail:jakarta.mail-api |
2.1.3 |
|
jakarta.persistence:jakarta.persistence-api |
EPL-1.0,EPL-2.0 |
http://www.eclipse.org/legal/epl-v10.html,https://spdx.org/licenses/EPL-2.0 |
maven |
jakarta.persistence:jakarta.persistence-api:3.1.0 |
gav://jakarta.persistence:jakarta.persistence-api |
3.1.0 |
jakarta.transaction:jakarta.transaction-api |
EPL-2.0 |
maven |
jakarta.transaction:jakarta.transaction-api:2.0.1 |
gav://jakarta.transaction:jakarta.transaction-api |
2.0.1 |
|
jakarta.xml.bind:jakarta.xml.bind-api |
BSD-3-Clause |
maven |
jakarta.xml.bind:jakarta.xml.bind-api:4.0.2 |
gav://jakarta.xml.bind:jakarta.xml.bind-api |
4.0.2 |
|
jakarta.xml.soap:jakarta.xml.soap-api |
BSD-3-Clause |
maven |
jakarta.xml.soap:jakarta.xml.soap-api:3.0.2 |
gav://jakarta.xml.soap:jakarta.xml.soap-api |
3.0.2 |
|
jakarta.xml.ws:jakarta.xml.ws-api |
BSD-3-Clause |
maven |
jakarta.xml.ws:jakarta.xml.ws-api:4.0.2 |
gav://jakarta.xml.ws:jakarta.xml.ws-api |
4.0.2 |
|
javax.cache:cache-api |
Apache-2.0 |
maven |
javax.cache:cache-api:1.1.1 |
gav://javax.cache:cache-api |
1.1.1 |
|
jrt-fs.jar |
Unknown |
generic |
jrt-fs.jar |
generic://sha256:87b4ce9c606b1f901606387bc02269cfed47e595428c31e542d1b3baae76450d/jrt-fs.jar |
||
net.bytebuddy:byte-buddy |
Apache-2.0 |
maven |
net.bytebuddy:byte-buddy:1.15.11 |
gav://net.bytebuddy:byte-buddy |
1.15.11 |
|
net.i2p.crypto:eddsa |
CC0-1.0 |
maven |
net.i2p.crypto:eddsa:0.3.0 |
gav://net.i2p.crypto:eddsa |
0.3.0 |
|
net.java.dev.jna:jna |
Apache-2.0 |
maven |
net.java.dev.jna:jna:5.13.0 |
gav://net.java.dev.jna:jna |
5.13.0 |
|
net.java.dev.jna:jna-platform |
Apache-2.0 |
maven |
net.java.dev.jna:jna-platform:5.13.0 |
gav://net.java.dev.jna:jna-platform |
5.13.0 |
|
net.shibboleth.utilities:java-support |
Apache-2.0 |
maven |
net.shibboleth.utilities:java-support:8.4.0 |
gav://net.shibboleth.utilities:java-support |
8.4.0 |
|
net.shibboleth:shib-networking |
Unknown |
maven |
net.shibboleth:shib-networking:9.1.3 |
gav://net.shibboleth:shib-networking |
9.1.3 |
|
net.shibboleth:shib-security |
Unknown |
maven |
net.shibboleth:shib-security:9.1.3 |
gav://net.shibboleth:shib-security |
9.1.3 |
|
net.shibboleth:shib-support |
Unknown |
maven |
net.shibboleth:shib-support:9.1.3 |
gav://net.shibboleth:shib-support |
9.1.3 |
|
net.shibboleth:shib-velocity |
Unknown |
maven |
net.shibboleth:shib-velocity:9.1.3 |
gav://net.shibboleth:shib-velocity |
9.1.3 |
|
org.antlr:antlr4-runtime |
BSD-3-Clause |
maven |
org.antlr:antlr4-runtime:4.13.0 |
gav://org.antlr:antlr4-runtime |
4.13.0 |
|
org.apache.commons:commons-lang3 |
Apache-2.0 |
maven |
org.apache.commons:commons-lang3:3.17.0 |
gav://org.apache.commons:commons-lang3 |
3.17.0 |
|
org.apache.commons:commons-text |
Apache-2.0 |
maven |
org.apache.commons:commons-text:1.12.0 |
gav://org.apache.commons:commons-text |
1.12.0 |
|
org.apache.groovy:groovy |
Apache-2.0,BSD-3-Clause |
http://licenses.nuget.org/Apache-2.0,http://opensource.org/licenses/BSD-3-Clause |
maven |
org.apache.groovy:groovy:4.0.23 |
gav://org.apache.groovy:groovy |
4.0.23 |
org.apache.groovy:groovy-jsr223 |
Apache-2.0 |
maven |
org.apache.groovy:groovy-jsr223:4.0.23 |
gav://org.apache.groovy:groovy-jsr223 |
4.0.23 |
|
org.apache.httpcomponents.client5:httpclient5 |
Apache-2.0 |
maven |
org.apache.httpcomponents.client5:httpclient5:5.4.3 |
gav://org.apache.httpcomponents.client5:httpclient5 |
5.4.3 |
|
org.apache.httpcomponents.client5:httpclient5-cache |
Apache-2.0 |
maven |
org.apache.httpcomponents.client5:httpclient5-cache:5.4.3 |
gav://org.apache.httpcomponents.client5:httpclient5-cache |
5.4.3 |
|
org.apache.httpcomponents.core5:httpcore5 |
Apache-2.0 |
maven |
org.apache.httpcomponents.core5:httpcore5:5.3.4 |
gav://org.apache.httpcomponents.core5:httpcore5 |
5.3.4 |
|
org.apache.httpcomponents.core5:httpcore5-h2 |
Apache-2.0 |
maven |
org.apache.httpcomponents.core5:httpcore5-h2:5.3.4 |
gav://org.apache.httpcomponents.core5:httpcore5-h2 |
5.3.4 |
|
org.apache.logging.log4j:log4j-api |
Apache-2.0 |
maven |
org.apache.logging.log4j:log4j-api:2.24.3 |
gav://org.apache.logging.log4j:log4j-api |
2.24.3 |
|
org.apache.logging.log4j:log4j-to-slf4j |
Apache-2.0 |
maven |
org.apache.logging.log4j:log4j-to-slf4j:2.24.3 |
gav://org.apache.logging.log4j:log4j-to-slf4j |
2.24.3 |
|
org.apache.santuario:xmlsec |
Apache-2.0 |
maven |
org.apache.santuario:xmlsec:3.0.4 |
gav://org.apache.santuario:xmlsec |
3.0.4 |
|
org.apache.sshd:sshd-osgi |
Apache-2.0 |
maven |
org.apache.sshd:sshd-osgi:2.12.1 |
gav://org.apache.sshd:sshd-osgi |
2.12.1 |
|
org.apache.sshd:sshd-sftp |
Apache-2.0 |
maven |
org.apache.sshd:sshd-sftp:2.12.1 |
gav://org.apache.sshd:sshd-sftp |
2.12.1 |
|
org.apache.tomcat.embed:tomcat-embed-core |
Apache-2.0 |
maven |
org.apache.tomcat.embed:tomcat-embed-core:10.1.40 |
gav://org.apache.tomcat.embed:tomcat-embed-core |
10.1.40 |
|
org.apache.tomcat.embed:tomcat-embed-el |
Apache-2.0 |
maven |
org.apache.tomcat.embed:tomcat-embed-el:10.1.40 |
gav://org.apache.tomcat.embed:tomcat-embed-el |
10.1.40 |
|
org.apache.tomcat.embed:tomcat-embed-websocket |
Apache-2.0 |
maven |
org.apache.tomcat.embed:tomcat-embed-websocket:10.1.40 |
gav://org.apache.tomcat.embed:tomcat-embed-websocket |
10.1.40 |
|
org.apache.tomcat:tomcat-annotations-api |
Apache-2.0 |
maven |
org.apache.tomcat:tomcat-annotations-api:10.1.40 |
gav://org.apache.tomcat:tomcat-annotations-api |
10.1.40 |
|
org.apache.velocity:velocity-engine-core |
Apache-2.0 |
maven |
org.apache.velocity:velocity-engine-core:2.4.1 |
gav://org.apache.velocity:velocity-engine-core |
2.4.1 |
|
org.apache.wss4j:wss4j-ws-security-common |
Apache-2.0 |
maven |
org.apache.wss4j:wss4j-ws-security-common:3.0.3 |
gav://org.apache.wss4j:wss4j-ws-security-common |
3.0.3 |
|
org.apache.wss4j:wss4j-ws-security-dom |
Apache-2.0 |
maven |
org.apache.wss4j:wss4j-ws-security-dom:3.0.3 |
gav://org.apache.wss4j:wss4j-ws-security-dom |
3.0.3 |
|
org.aspectj:aspectjweaver |
EPL-2.0 |
maven |
org.aspectj:aspectjweaver:1.9.24 |
gav://org.aspectj:aspectjweaver |
1.9.24 |
|
org.bouncycastle:bcpkix-jdk18on |
MIT |
maven |
org.bouncycastle:bcpkix-jdk18on:1.79 |
gav://org.bouncycastle:bcpkix-jdk18on |
1.79 |
|
org.bouncycastle:bcprov-jdk18on |
MIT |
maven |
org.bouncycastle:bcprov-jdk18on:1.79 |
gav://org.bouncycastle:bcprov-jdk18on |
1.79 |
|
org.bouncycastle:bcutil-jdk18on |
MIT |
maven |
org.bouncycastle:bcutil-jdk18on:1.79 |
gav://org.bouncycastle:bcutil-jdk18on |
1.79 |
|
org.checkerframework:checker-qual |
MIT |
maven |
org.checkerframework:checker-qual:3.41.0 |
gav://org.checkerframework:checker-qual |
3.41.0 |
|
org.cryptacular:cryptacular |
Apache-2.0 |
maven |
org.cryptacular:cryptacular:1.2.6 |
gav://org.cryptacular:cryptacular |
1.2.6 |
|
org.eclipse.angus:angus-activation |
BSD-3-Clause |
maven |
org.eclipse.angus:angus-activation:2.0.2 |
gav://org.eclipse.angus:angus-activation |
2.0.2 |
|
org.eclipse.jgit:org.eclipse.jgit |
BSD-3-Clause |
maven |
org.eclipse.jgit:org.eclipse.jgit:6.10.0.202406032230-r |
gav://org.eclipse.jgit:org.eclipse.jgit |
6.10.0.202406032230-r |
|
org.eclipse.jgit:org.eclipse.jgit.ssh.apache |
BSD-3-Clause |
maven |
org.eclipse.jgit:org.eclipse.jgit.ssh.apache:6.10.0.202406032230-r |
gav://org.eclipse.jgit:org.eclipse.jgit.ssh.apache |
6.10.0.202406032230-r |
|
org.ehcache.modules:ehcache-107 |
Apache-2.0 |
maven |
org.ehcache.modules:ehcache-107:3.10.8 |
gav://org.ehcache.modules:ehcache-107 |
3.10.8 |
|
org.ehcache.modules:ehcache-api |
Apache-2.0 |
maven |
org.ehcache.modules:ehcache-api:3.10.8 |
gav://org.ehcache.modules:ehcache-api |
3.10.8 |
|
org.ehcache.modules:ehcache-core |
Apache-2.0 |
maven |
org.ehcache.modules:ehcache-core:3.10.8 |
gav://org.ehcache.modules:ehcache-core |
3.10.8 |
|
org.ehcache.modules:ehcache-impl |
Apache-2.0 |
maven |
org.ehcache.modules:ehcache-impl:3.10.8 |
gav://org.ehcache.modules:ehcache-impl |
3.10.8 |
|
org.ehcache.modules:ehcache-xml |
Apache-2.0 |
maven |
org.ehcache.modules:ehcache-xml:3.10.8 |
gav://org.ehcache.modules:ehcache-xml |
3.10.8 |
|
org.ehcache.modules:ehcache-xml-spi |
Apache-2.0 |
maven |
org.ehcache.modules:ehcache-xml-spi:3.10.8 |
gav://org.ehcache.modules:ehcache-xml-spi |
3.10.8 |
|
org.ehcache:ehcache |
Apache-2.0 |
maven |
org.ehcache:ehcache:3.10.8 |
gav://org.ehcache:ehcache |
3.10.8 |
|
org.ehcache:sizeof |
Apache-2.0 |
maven |
org.ehcache:sizeof:0.4.3 |
gav://org.ehcache:sizeof |
0.4.3 |
|
org.flywaydb:flyway-core |
Apache-2.0 |
maven |
org.flywaydb:flyway-core:10.20.1 |
gav://org.flywaydb:flyway-core |
10.20.1 |
|
org.flywaydb:flyway-mysql |
Apache-2.0 |
maven |
org.flywaydb:flyway-mysql:10.20.1 |
gav://org.flywaydb:flyway-mysql |
10.20.1 |
|
org.glassfish.jaxb:jaxb-core |
BSD-3-Clause |
maven |
org.glassfish.jaxb:jaxb-core:4.0.5 |
gav://org.glassfish.jaxb:jaxb-core |
4.0.5 |
|
org.glassfish.jaxb:jaxb-runtime |
BSD-3-Clause |
maven |
org.glassfish.jaxb:jaxb-runtime:4.0.5 |
gav://org.glassfish.jaxb:jaxb-runtime |
4.0.5 |
|
org.glassfish.jaxb:txw2 |
BSD-3-Clause |
maven |
org.glassfish.jaxb:txw2:4.0.5 |
gav://org.glassfish.jaxb:txw2 |
4.0.5 |
|
org.hdrhistogram:HdrHistogram |
CC0-1.0 |
maven |
org.hdrhistogram:HdrHistogram:2.2.2 |
gav://org.hdrhistogram:HdrHistogram |
2.2.2 |
|
org.hibernate.common:hibernate-commons-annotations |
Apache-2.0 |
maven |
org.hibernate.common:hibernate-commons-annotations:7.0.3.Final |
gav://org.hibernate.common:hibernate-commons-annotations |
7.0.3.Final |
|
org.hibernate.orm:hibernate-core |
LGPL-2.1 |
http://www.gnu.org/licenses/old-licenses/lgpl-2.1-standalone.html |
maven |
org.hibernate.orm:hibernate-core:6.6.13.Final |
gav://org.hibernate.orm:hibernate-core |
6.6.13.Final |
org.jasypt:jasypt |
Apache-2.0 |
maven |
org.jasypt:jasypt:1.9.3 |
gav://org.jasypt:jasypt |
1.9.3 |
|
org.jboss.logging:jboss-logging |
Apache-2.0 |
maven |
org.jboss.logging:jboss-logging:3.6.1.Final |
gav://org.jboss.logging:jboss-logging |
3.6.1.Final |
|
org.jvnet.staxex:stax-ex |
BSD-3-Clause |
maven |
org.jvnet.staxex:stax-ex:2.1.0 |
gav://org.jvnet.staxex:stax-ex |
2.1.0 |
|
org.latencyutils:LatencyUtils |
CC0-1.0 |
maven |
org.latencyutils:LatencyUtils:2.0.3 |
gav://org.latencyutils:LatencyUtils |
2.0.3 |
|
org.mariadb.jdbc:mariadb-java-client |
LGPL-2.1 |
http://www.gnu.org/licenses/old-licenses/lgpl-2.1-standalone.html |
maven |
org.mariadb.jdbc:mariadb-java-client:3.4.1 |
gav://org.mariadb.jdbc:mariadb-java-client |
3.4.1 |
org.opensaml:opensaml-core-api |
Unknown |
maven |
org.opensaml:opensaml-core-api:5.1.3 |
gav://org.opensaml:opensaml-core-api |
5.1.3 |
|
org.opensaml:opensaml-core-impl |
Unknown |
maven |
org.opensaml:opensaml-core-impl:5.1.3 |
gav://org.opensaml:opensaml-core-impl |
5.1.3 |
|
org.opensaml:opensaml-messaging-api |
Apache-2.0 |
maven |
org.opensaml:opensaml-messaging-api:5.1.3 |
gav://org.opensaml:opensaml-messaging-api |
5.1.3 |
|
org.opensaml:opensaml-profile-api |
Apache-2.0 |
maven |
org.opensaml:opensaml-profile-api:5.1.3 |
gav://org.opensaml:opensaml-profile-api |
5.1.3 |
|
org.opensaml:opensaml-saml-api |
Apache-2.0 |
maven |
org.opensaml:opensaml-saml-api:5.1.3 |
gav://org.opensaml:opensaml-saml-api |
5.1.3 |
|
org.opensaml:opensaml-saml-impl |
Apache-2.0 |
maven |
org.opensaml:opensaml-saml-impl:5.1.3 |
gav://org.opensaml:opensaml-saml-impl |
5.1.3 |
|
org.opensaml:opensaml-security-api |
Apache-2.0 |
maven |
org.opensaml:opensaml-security-api:5.1.3 |
gav://org.opensaml:opensaml-security-api |
5.1.3 |
|
org.opensaml:opensaml-security-impl |
Apache-2.0 |
maven |
org.opensaml:opensaml-security-impl:5.1.3 |
gav://org.opensaml:opensaml-security-impl |
5.1.3 |
|
org.opensaml:opensaml-soap-api |
Apache-2.0 |
maven |
org.opensaml:opensaml-soap-api:5.1.3 |
gav://org.opensaml:opensaml-soap-api |
5.1.3 |
|
org.opensaml:opensaml-soap-impl |
Apache-2.0 |
maven |
org.opensaml:opensaml-soap-impl:5.1.3 |
gav://org.opensaml:opensaml-soap-impl |
5.1.3 |
|
org.opensaml:opensaml-storage-api |
Apache-2.0 |
maven |
org.opensaml:opensaml-storage-api:5.1.3 |
gav://org.opensaml:opensaml-storage-api |
5.1.3 |
|
org.opensaml:opensaml-xacml-api |
Apache-2.0 |
maven |
org.opensaml:opensaml-xacml-api:4.3.0 |
gav://org.opensaml:opensaml-xacml-api |
4.3.0 |
|
org.opensaml:opensaml-xacml-impl |
Apache-2.0 |
maven |
org.opensaml:opensaml-xacml-impl:4.3.0 |
gav://org.opensaml:opensaml-xacml-impl |
4.3.0 |
|
org.opensaml:opensaml-xacml-saml-api |
Apache-2.0 |
maven |
org.opensaml:opensaml-xacml-saml-api:4.3.0 |
gav://org.opensaml:opensaml-xacml-saml-api |
4.3.0 |
|
org.opensaml:opensaml-xacml-saml-impl |
Apache-2.0 |
maven |
org.opensaml:opensaml-xacml-saml-impl:4.3.0 |
gav://org.opensaml:opensaml-xacml-saml-impl |
4.3.0 |
|
org.opensaml:opensaml-xmlsec-api |
Apache-2.0 |
maven |
org.opensaml:opensaml-xmlsec-api:5.1.3 |
gav://org.opensaml:opensaml-xmlsec-api |
5.1.3 |
|
org.opensaml:opensaml-xmlsec-impl |
Apache-2.0 |
maven |
org.opensaml:opensaml-xmlsec-impl:5.1.3 |
gav://org.opensaml:opensaml-xmlsec-impl |
5.1.3 |
|
org.slf4j:jcl-over-slf4j |
Apache-2.0,MIT |
http://licenses.nuget.org/Apache-2.0,http://www.opensource.org/licenses/MIT |
maven |
org.slf4j:jcl-over-slf4j:2.0.17 |
gav://org.slf4j:jcl-over-slf4j |
2.0.17 |
org.slf4j:jul-to-slf4j |
MIT |
maven |
org.slf4j:jul-to-slf4j:2.0.17 |
gav://org.slf4j:jul-to-slf4j |
2.0.17 |
|
org.slf4j:slf4j-api |
MIT |
maven |
org.slf4j:slf4j-api:2.0.17 |
gav://org.slf4j:slf4j-api |
2.0.17 |
|
org.springframework.boot:spring-boot |
Apache-2.0 |
maven |
org.springframework.boot:spring-boot:3.4.5 |
gav://org.springframework.boot:spring-boot |
3.4.5 |
|
org.springframework.boot:spring-boot-actuator |
Apache-2.0 |
maven |
org.springframework.boot:spring-boot-actuator:3.4.5 |
gav://org.springframework.boot:spring-boot-actuator |
3.4.5 |
|
org.springframework.boot:spring-boot-actuator-autoconfigure |
Apache-2.0 |
maven |
org.springframework.boot:spring-boot-actuator-autoconfigure:3.4.5 |
gav://org.springframework.boot:spring-boot-actuator-autoconfigure |
3.4.5 |
|
org.springframework.boot:spring-boot-autoconfigure |
Apache-2.0 |
maven |
org.springframework.boot:spring-boot-autoconfigure:3.4.5 |
gav://org.springframework.boot:spring-boot-autoconfigure |
3.4.5 |
|
org.springframework.boot:spring-boot-starter |
Apache-2.0 |
maven |
org.springframework.boot:spring-boot-starter:3.4.5 |
gav://org.springframework.boot:spring-boot-starter |
3.4.5 |
|
org.springframework.boot:spring-boot-starter-actuator |
Apache-2.0 |
maven |
org.springframework.boot:spring-boot-starter-actuator:3.4.5 |
gav://org.springframework.boot:spring-boot-starter-actuator |
3.4.5 |
|
org.springframework.boot:spring-boot-starter-data-jpa |
Apache-2.0 |
maven |
org.springframework.boot:spring-boot-starter-data-jpa:3.4.5 |
gav://org.springframework.boot:spring-boot-starter-data-jpa |
3.4.5 |
|
org.springframework.boot:spring-boot-starter-jdbc |
Apache-2.0 |
maven |
org.springframework.boot:spring-boot-starter-jdbc:3.4.5 |
gav://org.springframework.boot:spring-boot-starter-jdbc |
3.4.5 |
|
org.springframework.boot:spring-boot-starter-json |
Apache-2.0 |
maven |
org.springframework.boot:spring-boot-starter-json:3.4.5 |
gav://org.springframework.boot:spring-boot-starter-json |
3.4.5 |
|
org.springframework.boot:spring-boot-starter-logging |
Apache-2.0 |
maven |
org.springframework.boot:spring-boot-starter-logging:3.4.5 |
gav://org.springframework.boot:spring-boot-starter-logging |
3.4.5 |
|
org.springframework.boot:spring-boot-starter-security |
Apache-2.0 |
maven |
org.springframework.boot:spring-boot-starter-security:3.4.5 |
gav://org.springframework.boot:spring-boot-starter-security |
3.4.5 |
|
org.springframework.boot:spring-boot-starter-tomcat |
Apache-2.0 |
maven |
org.springframework.boot:spring-boot-starter-tomcat:3.4.5 |
gav://org.springframework.boot:spring-boot-starter-tomcat |
3.4.5 |
|
org.springframework.boot:spring-boot-starter-web |
Apache-2.0 |
maven |
org.springframework.boot:spring-boot-starter-web:3.4.5 |
gav://org.springframework.boot:spring-boot-starter-web |
3.4.5 |
|
org.springframework.boot:spring-boot-starter-web-services |
Apache-2.0 |
maven |
org.springframework.boot:spring-boot-starter-web-services:3.4.5 |
gav://org.springframework.boot:spring-boot-starter-web-services |
3.4.5 |
|
org.springframework.cloud:spring-cloud-commons |
Apache-2.0 |
maven |
org.springframework.cloud:spring-cloud-commons:4.2.0 |
gav://org.springframework.cloud:spring-cloud-commons |
4.2.0 |
|
org.springframework.cloud:spring-cloud-config-client |
Apache-2.0 |
maven |
org.springframework.cloud:spring-cloud-config-client:4.2.0 |
gav://org.springframework.cloud:spring-cloud-config-client |
4.2.0 |
|
org.springframework.cloud:spring-cloud-context |
Apache-2.0 |
maven |
org.springframework.cloud:spring-cloud-context:4.2.0 |
gav://org.springframework.cloud:spring-cloud-context |
4.2.0 |
|
org.springframework.cloud:spring-cloud-starter |
Apache-2.0 |
maven |
org.springframework.cloud:spring-cloud-starter:4.2.0 |
gav://org.springframework.cloud:spring-cloud-starter |
4.2.0 |
|
org.springframework.data:spring-data-commons |
Apache-2.0 |
maven |
org.springframework.data:spring-data-commons:3.4.5 |
gav://org.springframework.data:spring-data-commons |
3.4.5 |
|
org.springframework.data:spring-data-jpa |
Apache-2.0 |
maven |
org.springframework.data:spring-data-jpa:3.4.5 |
gav://org.springframework.data:spring-data-jpa |
3.4.5 |
|
org.springframework.security:spring-security-config |
Apache-2.0 |
maven |
org.springframework.security:spring-security-config:6.4.5 |
gav://org.springframework.security:spring-security-config |
6.4.5 |
|
org.springframework.security:spring-security-core |
Apache-2.0 |
maven |
org.springframework.security:spring-security-core:6.4.5 |
gav://org.springframework.security:spring-security-core |
6.4.5 |
|
org.springframework.security:spring-security-crypto |
Apache-2.0 |
maven |
org.springframework.security:spring-security-crypto:6.4.5 |
gav://org.springframework.security:spring-security-crypto |
6.4.5 |
|
org.springframework.security:spring-security-oauth2-authorization-server |
Apache-2.0 |
maven |
org.springframework.security:spring-security-oauth2-authorization-server:1.4.3 |
gav://org.springframework.security:spring-security-oauth2-authorization-server |
1.4.3 |
|
org.springframework.security:spring-security-oauth2-core |
Apache-2.0 |
maven |
org.springframework.security:spring-security-oauth2-core:6.4.5 |
gav://org.springframework.security:spring-security-oauth2-core |
6.4.5 |
|
org.springframework.security:spring-security-oauth2-jose |
Apache-2.0 |
maven |
org.springframework.security:spring-security-oauth2-jose:6.4.5 |
gav://org.springframework.security:spring-security-oauth2-jose |
6.4.5 |
|
org.springframework.security:spring-security-oauth2-resource-server |
Apache-2.0 |
maven |
org.springframework.security:spring-security-oauth2-resource-server:6.4.5 |
gav://org.springframework.security:spring-security-oauth2-resource-server |
6.4.5 |
|
org.springframework.security:spring-security-saml2-service-provider |
Apache-2.0 |
maven |
org.springframework.security:spring-security-saml2-service-provider:6.4.4 |
gav://org.springframework.security:spring-security-saml2-service-provider |
6.4.4 |
|
org.springframework.security:spring-security-web |
Apache-2.0 |
maven |
org.springframework.security:spring-security-web:6.4.5 |
gav://org.springframework.security:spring-security-web |
6.4.5 |
|
org.springframework.ws:spring-ws-core |
Apache-2.0 |
maven |
org.springframework.ws:spring-ws-core:4.0.13 |
gav://org.springframework.ws:spring-ws-core |
4.0.13 |
|
org.springframework.ws:spring-ws-security |
Apache-2.0 |
maven |
org.springframework.ws:spring-ws-security:4.0.13 |
gav://org.springframework.ws:spring-ws-security |
4.0.13 |
|
org.springframework.ws:spring-xml |
Apache-2.0 |
maven |
org.springframework.ws:spring-xml:4.0.13 |
gav://org.springframework.ws:spring-xml |
4.0.13 |
|
org.springframework:spring-aop |
Apache-2.0,BSD-3-Clause |
http://licenses.nuget.org/Apache-2.0,http://opensource.org/licenses/BSD-3-Clause |
maven |
org.springframework:spring-aop:6.2.6 |
gav://org.springframework:spring-aop |
6.2.6 |
org.springframework:spring-aspects |
Apache-2.0,BSD-3-Clause |
http://licenses.nuget.org/Apache-2.0,http://opensource.org/licenses/BSD-3-Clause |
maven |
org.springframework:spring-aspects:6.2.6 |
gav://org.springframework:spring-aspects |
6.2.6 |
org.springframework:spring-beans |
Apache-2.0,BSD-3-Clause |
http://licenses.nuget.org/Apache-2.0,http://opensource.org/licenses/BSD-3-Clause |
maven |
org.springframework:spring-beans:6.2.6 |
gav://org.springframework:spring-beans |
6.2.6 |
org.springframework:spring-context |
Apache-2.0,BSD-3-Clause |
http://licenses.nuget.org/Apache-2.0,http://opensource.org/licenses/BSD-3-Clause |
maven |
org.springframework:spring-context:6.2.6 |
gav://org.springframework:spring-context |
6.2.6 |
org.springframework:spring-core |
Apache-2.0,BSD-3-Clause |
http://licenses.nuget.org/Apache-2.0,http://opensource.org/licenses/BSD-3-Clause |
maven |
org.springframework:spring-core:6.2.6 |
gav://org.springframework:spring-core |
6.2.6 |
org.springframework:spring-expression |
Apache-2.0,BSD-3-Clause |
http://licenses.nuget.org/Apache-2.0,http://opensource.org/licenses/BSD-3-Clause |
maven |
org.springframework:spring-expression:6.2.6 |
gav://org.springframework:spring-expression |
6.2.6 |
org.springframework:spring-jcl |
Apache-2.0,BSD-3-Clause |
http://licenses.nuget.org/Apache-2.0,http://opensource.org/licenses/BSD-3-Clause |
maven |
org.springframework:spring-jcl:6.2.6 |
gav://org.springframework:spring-jcl |
6.2.6 |
org.springframework:spring-jdbc |
Apache-2.0,BSD-3-Clause |
http://licenses.nuget.org/Apache-2.0,http://opensource.org/licenses/BSD-3-Clause |
maven |
org.springframework:spring-jdbc:6.2.6 |
gav://org.springframework:spring-jdbc |
6.2.6 |
org.springframework:spring-orm |
Apache-2.0,BSD-3-Clause |
http://licenses.nuget.org/Apache-2.0,http://opensource.org/licenses/BSD-3-Clause |
maven |
org.springframework:spring-orm:6.2.6 |
gav://org.springframework:spring-orm |
6.2.6 |
org.springframework:spring-oxm |
Apache-2.0,BSD-3-Clause |
http://licenses.nuget.org/Apache-2.0,http://opensource.org/licenses/BSD-3-Clause |
maven |
org.springframework:spring-oxm:6.2.6 |
gav://org.springframework:spring-oxm |
6.2.6 |
org.springframework:spring-tx |
Apache-2.0,BSD-3-Clause |
http://licenses.nuget.org/Apache-2.0,http://opensource.org/licenses/BSD-3-Clause |
maven |
org.springframework:spring-tx:6.2.6 |
gav://org.springframework:spring-tx |
6.2.6 |
org.springframework:spring-web |
Apache-2.0,BSD-3-Clause |
http://licenses.nuget.org/Apache-2.0,http://opensource.org/licenses/BSD-3-Clause |
maven |
org.springframework:spring-web:6.2.6 |
gav://org.springframework:spring-web |
6.2.6 |
org.springframework:spring-webmvc |
Apache-2.0,BSD-3-Clause |
http://licenses.nuget.org/Apache-2.0,http://opensource.org/licenses/BSD-3-Clause |
maven |
org.springframework:spring-webmvc:6.2.6 |
gav://org.springframework:spring-webmvc |
6.2.6 |
org.terracotta:offheap-store |
Apache-2.0 |
maven |
org.terracotta:offheap-store:2.5.3 |
gav://org.terracotta:offheap-store |
2.5.3 |
|
org.terracotta:statistics |
Apache-2.0 |
maven |
org.terracotta:statistics:2.1.2 |
gav://org.terracotta:statistics |
2.1.2 |
|
org.terracotta:terracotta-utilities-tools |
Apache-2.0 |
maven |
org.terracotta:terracotta-utilities-tools:0.0.15 |
gav://org.terracotta:terracotta-utilities-tools |
0.0.15 |
|
org.yaml:snakeyaml |
Apache-2.0 |
maven |
org.yaml:snakeyaml:2.3 |
gav://org.yaml:snakeyaml |
2.3 |
|
sizeof-agent.jar |
Unknown |
generic |
sizeof-agent.jar |
generic://sha256:60e093acb08d3bc30235ef15941380195cbb85b1ec8b4afd672249f9c530e356/sizeof-agent.jar |
||
trustbroker-api-1.10.0.20250707T145406Z.jar |
Unknown |
generic |
trustbroker-api-1.10.0.20250707T145406Z.jar |
generic://sha256:4663ca3599ab19632398f53d87a9604a7a31bbef834c0d2116e96fe856e76655/trustbroker-api-1.10.0.20250707T145406Z.jar |
||
trustbroker-common-1.10.0.20250707T145406Z.jar |
Apache-2.0,BSD-3-Clause |
http://licenses.nuget.org/Apache-2.0,http://opensource.org/licenses/BSD-3-Clause |
generic |
trustbroker-common-1.10.0.20250707T145406Z.jar |
generic://sha256:1ec81627c883c9b1fbd83f2b02ca5dc877edc6efa14c1ca82f3d0108ba95329a/trustbroker-common-1.10.0.20250707T145406Z.jar |
|
trustbroker-service-1.10.0.20250707T145406Z.jar |
Apache-2.0 |
generic |
trustbroker-service-1.10.0.20250707T145406Z.jar |
generic://sha256:63e256cc2012721090f96bb8fe07faa28b8ee243ad3032effda5f29acba58cfb/trustbroker-service-1.10.0.20250707T145406Z.jar |
||
trustbroker-swiss/trustbroker-application |
Unknown |
docker |
trustbroker-swiss/trustbroker-application:1.10.0.20250707T145406Z |
docker://trustbroker-swiss/trustbroker-application |
1.10.0.20250707T145406Z |
|
trustbroker-wstrust-service-1.10.0.20250707T145406Z.jar |
Unknown |
generic |
trustbroker-wstrust-service-1.10.0.20250707T145406Z.jar |
generic://sha256:61159943d1dab61dd5ef55ef897725153a6558c22044e5acc8888644cace70ec/trustbroker-wstrust-service-1.10.0.20250707T145406Z.jar |