eidas-connector
Management using the Actuator
Table of Contents
-
3.1. SAML Metadata Health
3.2. PRID Health
-
4.1. Country Information
1. Introduction
The Spring Boot Actuator Endpoints can be used for supervision of the application. It defines a set of endpoints which are described in the sections below.
2. Accessing Audit Logs
Path: actuator/auditevents
Reference: https://docs.spring.io/spring-boot/api/rest/actuator/auditevents.html
Displays audit events.
Depending on how Audit logging is configured (see Audit Logging Configuration), the audit endpoint may not display all available events. For example, if Redis is not used to save events, the settings for in-memory logging will be used.
See Swedish eIDAS Connector Audit Logging for a listing of which audit events that are logged by the Connector.
Note: If audit logging has been configured to write audit events to files, of course the audit events may be accessed that was as well.
3. The Health Endpoint
Path: /actuator/health
Reference: https://docs.spring.io/spring-boot/api/rest/actuator/health.html
The Health-endpoint should be invoked periodically in order to monitor the “health” of the eIDAS application. The overall health-status can be one of:
UP- Everything is looking good.DOWN- As the name states, the service is down and no features are available.OUT_OF_SERVICE- The application is running, but can one or more features are out of service.WARNING- The application is running, but at least one of the health-components have issued a warning, that should be paid attention to.UNKNOWN- Health status could not be reported.
:exclamation: Simple monitoring services that can not interpret the body of the health-call, should at least trigger on the HTTP status, where 200 means UP and 50X, meaning “not ok”.
Apart from Spring’s standard health components1, the eIDAS Connector delivers health information about the components described below.
[1]: Standard health components include indicators for disk space, Redis and SSL/TLS.
3.1. SAML Metadata Health
Key: saml-metadata
Description: Asserts that the connector has access to valid SAML metadata.
If the connector has access to valid metadata, the component will display the following information:
...
"saml-metadata" : {
"status" : "UP",
"details" : {
"id" : "https://md.swedenconnect.se/role/sp.xml"
}
},
...
If the connector does not have access to valid SAML metadata, the connector will not be able to serve any requests, and the connection against the metadata download URL needs to be checked.
...
"saml-metadata" : {
"status" : "OUT_OF_SERVICE",
"details" : {
"id" : "https://md.swedenconnect.se/role/sp.xml",
"error-message" : "No valid SAML metadata available"
}
},
...
3.2. PRID Health
Key: prid
Description: Checks that the configuration for eIDAS Connector Provisional Identifier (PRID) Calculation is correct. The main purpose of the PRID health-component is to make sure that there is a configuration for all countries, and the component reads the EU metadata and makes sure that all countries published to the aggregated EU metadata has a corresponding PRID configuration.
If the PRID-configuration is correct, the following will be returned:
...
"prid" : {
"status" : "UP",
"details" : {
"prid-policy-status" : "ok" }
}
},
...
If there are countries in the EU SAML metadata that do not have a PRID-configuration:
...
"prid" : {
"status" : "WARNING",
"details" : {
"prid-policy-status" : {
"missing-prid-config" : [ "NO" ]
}
}
},
...
The warning above states that metadata for Norway was found in the EU aggregated metadata, but the connector does not have a PRID configuration for Norway.
The PRID-endpoint also warns for invalid PRID configurations. Suppose that an administrator noted that Norway was missing from the configuration and added an entry, but made a mistake. This will look something like:
...
"prid" : {
"status" : "WARNING",
"details" : {
"prid-policy-status" : {
"config-validation" : [ "Invalid algorithm (defaultX-eIDAS) for country NO" ],
"missing-prid-config": [ "NO" ]
}
},
3.3. Credential Monitoring
Key: credential-monitor
Description: If hardware based credentials are used (i.e., HSM:s), monitoring of their status can be configured (see Credentials Monitoring).
See Credential Monitoring Health Endpoint for details about the monitored credentials.
3.4. Identity Matching Health
Key: idm
Description: Health indicator for checking the connectivity against the Identity Matching Service.
4. The Info Endpoint
Path: /actuator/info
Reference: https://docs.spring.io/spring-boot/api/rest/actuator/info.html
The info endpoint provides general information about the application, and apart from Spring’s standard elements, information about the following will be provided:
4.1. Country Information
Key: countries
Description: Provides information about the countries that are connected to the Swedish eIDAS Connector.
For each country its country code, its SAML entityID and a list of supported assurance levels will be displayed.
Example:
{
...
"countries" : [ {
"country-code" : "NO",
"entity-id" : "https://eidas-proxy-service.no/eidas-ps/ServiceMetadata",
"assurance-levels" : [
"http://eidas.europa.eu/LoA/high",
"http://eidas.europa.eu/LoA/substantial",
"http://eidas.europa.eu/LoA/low" ]
},
{
"country-code" : "FR",
"entity-id" : "https://eidas-cef-xa.fr/EidasNodeProxy/ServiceMetadata",
...
4.2. Current PRID Policy Configuration
Key: prid-policy
Description: Displays a the current PRID policy (see eIDAS Connector Provisional Identifier (PRID) Calculation).
Example:
{
...
"prid-policy" : {
"NO" : {
"algorithm" : "default-eIDAS",
"persistenceClass" : "A"
},"
FR": {
"algorithm" : "default-eIDAS",
"persistenceClass" : "B"
},
...
},
...
}
5. The PRID Configuration Refresh Endpoint
Path: /actuator/refreshprid
Description: The PRID service will reload the PRID policy file every 10 minutes. It is also possible to force a reload and verify that the update was correct. This is done by invoking the /actuator/refreshprid.
As its output, the endpoint will respond with a status and a list of the policy configuration, see 4.2 above.
Make sure to inspect the result of the call, since the endpoint will analyze the newly updated PRID configuration file, and it it detects any errors report these.
Copyright © 2017-2025, Myndigheten för digital förvaltning - Swedish Agency for Digital Government (DIGG). Licensed under version 2.0 of the Apache License.