SSF
SSF (protocolsoup-ssf)
Section titled “SSF (protocolsoup-ssf)”Image: ghcr.io/parlesec/protocolsoup-ssf
When To Use
Section titled “When To Use”Use SSF service to test security event stream configuration, CAEP/RISC event delivery, and receiver response actions.
Runtime Contract
Section titled “Runtime Contract”| Property | Value |
|---|---|
| Primary port | 8080 (SSF APIs) |
| Receiver port | 8081 (push delivery listener) |
| Health | GET /health |
| SSF discovery | GET /ssf/.well-known/ssf-configuration |
| Receiver status | GET /ssf/receiver/status |
Key Endpoints
Section titled “Key Endpoints”Transmitter
Section titled “Transmitter”POST|GET|PATCH|DELETE /ssf/stream— stream managementGET|POST /ssf/status— stream statusGET|POST /ssf/subjects— subject managementPOST /ssf/actions/{action}— trigger event actionsPOST /ssf/push— push deliveryGET|POST /ssf/poll— poll deliveryPOST /ssf/ack— acknowledge events
Receiver
Section titled “Receiver”POST /ssf/receiver/push— receive pushed SETsGET /ssf/receiver/status— receiver healthGET /ssf/receiver/events— received event logGET /ssf/receiver/actions— response action log
Supporting
Section titled “Supporting”GET /ssf/events/stream— SSE event streamGET /ssf/events— event historyGET /ssf/security-state— all security statesGET /ssf/security-state/{email}— security state by subjectPOST /ssf/decode— decode SET tokenGET /ssf/event-types— available event types
Supported Event Actions
Section titled “Supported Event Actions”session-revoked, credential-change, device-compliance-change, credential-compromise, account-disabled, account-enabled, account-purged, identifier-changed, assurance-level-change, token-claims-change, identifier-recycled, account-credential-change-required, sessions-revoked
Configuration
Section titled “Configuration”| Variable | Required | Default | Description |
|---|---|---|---|
SHOWCASE_BASE_URL | Yes | http://localhost:8080 | External base URL |
SSF_DATA_DIR | No | ./data | Stream and receiver state directory |
SSF_RECEIVER_PORT | No | 8081 | Standalone receiver listener port |
SSF_RECEIVER_TOKEN | No | auto-generated | Bearer token for push delivery authentication |
docker run -p 8080:8080 -p 8081:8081 \ -e SHOWCASE_BASE_URL=http://localhost:8080 \ -e SSF_DATA_DIR=/app/data \ -v ssf-data:/app/data \ ghcr.io/parlesec/protocolsoup-ssf:latestOperational Notes
Section titled “Operational Notes”- Port
8081runs the standalone receiver. Keep it private unless you intentionally test external push delivery. - Push delivery to
{baseURL}/ssf/receiver/pushis proxied to the internal receiver on port8081. - The receiver validates SETs and executes response actions (session revocation, credential compromise, etc.) via the built-in MockIdP action executor.
- Set
SSF_RECEIVER_TOKENexplicitly in shared environments. - Persist
SSF_DATA_DIRto keep stream and event state across restarts.