MyFirst IdP EuroCAMP Training This work is licensed under a Creative Commons Attribution ‐ ShareAlike 3.0 Unported License . Acknowledgements • Portions of this training course taken from: – SWITCHaai – simpleSAMLphp website – EduGate Federation – K.U.Leuven Shibboleth Materials 1
Pre ‐ requisites • A training VM from Disc or Web that has been i iti ll initially setup. t • This image has simpleSAMLphp, Shibboleth SP and other utilities included. What’s on the VM? • TurnKey Linux LAMP Stack – http://www.turnkeylinux.org/lampstack htt // t k li /l t k – Apache HTTPd Web Server – MySQL Database – PHP 5.3 • simpleSAMLphp + requirements – http://simplesamlphp.org/docs/1.8/simplesamlphp ‐ install • OpenLDAP Directory • Shibboleth Service Provider – Daemon + mod_shib for Apache • Dynamic DNS Client & Configuration 2
simpleSAMLphp vs Shibboleth simpleSAMLphp Shibboleth IdP Shibboleth SP SAML1.1 (Shib Profile) ~ X X SAML2.0 (saml2int) SAML2 0 (saml2int) X X X X X X Identity Provider (IdP) X X ‐ Service Provider (SP) X ‐ X Bridge (IdP< ‐ >SP) X ‐ ‐ OAuth/OpenID X ‐ ‐ Discovery Service X ‐ ‐ Latest Version 1.8 2.2 2.4 Programming Lang. PHP Java Servlet C Primary Developer UNINETT Internet2 Internet2 • simpleSAMLphp doesn’t support the IdP Artifact • Discovery Service /DS is a separate Java Servlet • simpleSAMLphp can bridge OAuth/OpenID to SAML Login & Set up simpleSAMLphp 3
Basic simpleSAMLphp setup • Copy the default configuration files: cd /var/simplesamlphp/ cd /var/simplesamlphp/ cd /var/simplesamlphp/ cp -r config-templates/* config/ cp -r config-templates/* config/ cp -r metadata-templates/* metadata/ cp -r metadata-templates/* metadata/ • simpleSAMLphp installed using Subversion cd /var/ svn checkout http://simplesamlphp.googlecode.com/svn/trunk/ simplesamlphp • Subversion ‘svn’ is a version control system cd /var/simplesamlphp/ svn update � update to latest version svn update –r XXXX � goto revision, default HEAD http://svnbook.red ‐ bean.com/ Your simpleSAML page is live! 4
The IdP isn’t setup yet… Explore simpleSAMLphp… 5
Default password ‘123’ Enabling SAML 2.0 IdP • We need to enable SAML2.0 IdP! • simpleSAMLPphp configuration located at: /var/simplesamlphp/config/ • Two major configuration files: config.php authsources.php • Take a look at config php • Take a look at config.php cd /var/simplesamlphp/config/ cd /var/simplesamlphp/config/ more config.php more config.php http://simplesamlphp.org/docs/1.8/simplesamlphp-install #section_7 6
3 ways to edit files • Two via the command line terminal: cd /var/simplesamlphp/config/ cd /var/simplesamlphp/config/ – vi – the visual editor vi config.php – pico/nano pico config.php easier to use that vi if you’ve never used vi • Web Based Simple Editor Essential File Editing Commands Editor Nano VIM $ nano file.xml $ vim file.xml Open file Save file <ctrl>-o <esc>, :w Save and exit <ctrl>-x <esc>, :wq <esc>, ZZ Search string <ctrl>-w, string <esc>, / string Go to line <ctrl>--, number , <esc>, number , , , number <shift>-G Pro and Cons + Easy + Powerful - Few features - A bit “weird” to use http://www.switch.ch/aai/support/presentations/installfest ‐ 2009/ShibInstallFest ‐ Tipps ‐ and ‐ Tricks.ppt 7
Web Interface for editing… Web Interface for editing… • … for file browser. • Edit to launch editor. 8
• Basic text editing. diti • Click to ‘Save’ Remember to change… • Enable IdP: 'enable.saml20-idp' => true, 'enable saml20 idp' > true ' 'enable.saml20-idp' => true, bl l20 id ' t • Generate Random Bytes: 'auth.adminpassword' => ' your_new_password ’, tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz’ \ </dev/urandom | dd bs=32 count=1 2>/dev/null;echo – or type random characters. • Update Secret Salt: 'auth.adminpassword' => ' your new password ’, 'secretsalt' => 'randombytesinsertedhere', # or type junk! • Admin Password & Contact Details: 'auth.adminpassword' => ' your_new_password ’, 'auth.adminpassword' => ' your_new_password ', 'technicalcontact_name' => ' My Name ', 'technicalcontact_email' => ' my.name@inst.federated.now ', http://simplesamlphp.org/docs/1.8/simplesamlphp-install#section_7 9
How do you want to login? • Pick an authentication source – X509 Certificate, RADIUS, OpenID, YubiKey, Facebook, Twitter, MySpace, LinkedIn, Windows Live ID. – …or write your own. • We will look at 3 – Configuration File with Username/Password – SQL Database – LDAP Directory 10
Simple Username/Password Auth • Uses the exampleauth module – enable it! t touch modules/exampleauth/enable h d l / l th/ bl Some basic test accounts… – Edit config/authsources.php – Enable example-userpass – remove /* */ E bl l / / /* 'example-userpass' => array( 'exampleauth:UserPass', 'student:studentpass' => array( 'uid' => array('test'), 'eduPersonAffiliation' => array('member', 'student'), ), 'employee:employeepass' => array( 'uid' => array('employee'), 'eduPersonAffiliation' => array('member', 'employee'), ), ), */ – Add your own account – watch out for , 11
Add an account 'example-userpass' => array( 'exampleauth:UserPass', 'student:studentpass' => array( 'uid' => array('test'), uid > array( test ), 'eduPersonAffiliation' => array('member', 'student'), ), 'employee:employeepass' => array( 'uid' => array('employee'), 'eduPersonAffiliation' => array('member', 'employee'), ), 'username:password' => array( 'uid' => array('username'), 'eduPersonAffiliation' => array('member', 'faculty'), ), ), • Pick a username and password. Add additional attributes 'username:password' => array( 'uid' => array('username'), ' d P 'eduPersonAffiliation' => array('member', 'faculty'), Affili ti ' > (' b ' 'f lt ') 'cn' => array('My Name'), 'postalCode' => array('1017 AW'), 'telephoneNumber' => array('+31205304488'), ), ), • Logout and Login in to see your attributes. • For an extensive list of attribute look at: more attributemap/name2oid.php 12
How to really test this IdP? • Can’t test generated attributes via authsource • Setup additional hostnames: echo 'idp XX -ws X .lab.iamfederated.org' >> /etc/ddclient.conf • echo 'sp XX -ws X .lab.iamfederated.org' >> /etc/ddclient.conf more /etc/ddclient.conf • Refresh Dynamic DNS and wait /etc/init.d/ddclient restart grep ddclient /var/log/syslog • Swap the IdPs metadata with our SPs! Find your IdPs Metadata • Click “Show metadata” under the IdP entry 13
Copy the PHP version of Metadata • Add to metadata/saml20-idp-remote.php $metadata['https://host12- ws3.lab.iamfederated.org/simplesaml/saml2/idp/metadata.php'] = array ( 'metadata-set' => 'saml20-idp-remote', 'entityid' => 'https://host12- ws3.lab.iamfederated.org/simplesaml/saml2/idp/metadata.php', 'SingleSignOnService' => 'https://host12- ws3.lab.iamfederated.org/simplesaml/saml2/idp/SSOService.php' , 'SingleLogoutService' => 'https://host12- ws3.lab.iamfederated.org/simplesaml/saml2/idp/SingleLogoutSer vice.php', 'certData' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BA…', 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid- format:transient', ); ); Login from your SP • Visit https://spXX ‐ wsX.lab.iamfederated.org/simplesaml/ • Select ‘default ‐ sp’ 14
Error? Your IdP needs know your SP • Visit https://spXX ‐ wsX.lab.iamfederated.org/simplesaml/ 15
Your IdP needs know your SP • Copy the PHP metadata. • Add to metadata/saml20-sp-remote.php $metadata['https://sp12- ws3.lab.iamfederated.org/simplesaml/module.php/saml/sp/metada ta.php/default-sp'] = array ( 'AssertionConsumerService' => 'https://sp12- ws3.lab.iamfederated.org/simplesaml/module.php/saml/sp/saml2- acs.php/default-sp', 'SingleLogoutService' => 'https://sp12- SingleLogoutService => https://sp12- ws3.lab.iamfederated.org/simplesaml/module.php/saml/sp/saml2- logout.php/default-sp', ); ); • Try logging in again at http://spXX ‐ wsX… Copy & Paste Error? …or not! 16
Spot the difference • Four differences between left & right. • HTTP vs HTTP S changes the dynamic entityID. You might have seen this warning… 17
Two solutions to fix this • Force HTTP S on your website – Apache Configuration for SSL/TLS – Redirecting HTTP � HTTPS – HTTP Strict Transport Security (HSTS) • Hardwire the entityID – Can be configured statically rather than dynamic – Can be configured statically rather than dynamic. – Best practice is to make your metadata accessible from your entityID URI, so that it is also a URL. • Can use “Redirect” in Apache config to achieve this. HTTP ‐ > HTTPS Redirect • Add to HTTP VHOST configuration: vi /etc/apache2/sites-enabled/000-default vi /etc/apache2/sites enabled/000 default <VirtualHost *:80> … <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </IfModule> </VirtualHost> / tua ost • Uses a Rewrite Rule to force site to HTTP S • Enable rewrite & headers and restart Apache a2enmod rewrite headers /etc/init.d/apache2 restart 18
Recommend
More recommend