GOV.UK Verify has closed
This repository is out of date and has been archived
This repository contains the eIDAS Proxy Node implementation, which supplies UK eIDs to notified EU Member States, according to the eIDAS Regulation.
The UK Proxy Node is a service located between an EU Member State Connector Node, and a UK eID provider (Verify Hub). The Proxy Node is responsible for:
- transforming eIDAS SAML requests from an EU Connector Node to Verify SAML requests
- transforming eIDAS SAML responses from Verify SAML responses
- validating eIDAS SAML requests
- signing and encrypting eIDAS SAML responses
The Proxy Node consists of the following services:
Service | Role |
---|---|
gateway | public facing gateway that accepts and provides eIDAS SAML |
eidas-saml-parser | parses and validates eIDAS SAML requests from EU Member States |
verify-service-provider | creates and signs Verify SAML request payloads and parses, decrypts and validates Hub SAML responses |
metatron | provides data on how to connect to country connector nodes |
translator | creates signed and encrypted eIDAS SAML responses for EU Member States |
stub-connector | represents a country connector node, for testing |
The eIDAS Proxy Node does not perform matching.
We record our architectural decisions in doc/adr
A technical overview of the Proxy Node is available here.
See instructions to run the Proxy Node locally with minimal set-up using Docker.
- To run the tests manually, execute:
./gradlew clean test
. - Test results are output to
./build/test-results
.
Snyk is run by our Travis builds and does two things, test and monitor. We use the CLI rather than the GitHub integration as the integration has big problems with multi project Gradle builds like we have.
- After the tests are run in the build Travis checks all our dependencies against a database for known vulnerabilities.
- If any are found it exists with a non-zero code and the build fails. The build logs tell you what happened.
- If no vulnerabilities are found then we move on to monitoring.
- Snyk sends a list of all our dependencies to their server, and will alert us via email if any new vulnerabilities are found for them.
- The vulnerabilities can be found in our Snyk dashboard
- You can be added to the Snyk verify-eidas organisation by an existing member.
- The most common issue is a build failing due to a new vulnerability. Follow the link in the logs, or visit the dashboard and see what's up.
- Most issues will have a resolution strategy. Most often you'll need to bump a library verion. This can also be a transitive dependency. Good luck.
- If there is currently no solution, you can temporarily ignore the vulnerability. You'll need the Snyk ID of the issue which you can grab from the last segment of the URL of the issue - find it in the Travis build logs where the vulnerability is reported.
- Run
snyk ignore --id=<IssueID> --reason='The reason you're ignoring it'
and commit the.snyk
file generated. Push.