README 2.86 KB
Newer Older
marcus-tun's avatar
marcus-tun committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
The server stuff is currently coded to reside in 
<document-root>/sd/


The client stuff is pretty much standalone


Dependencies:
- Server:
  - ntp syncronised time
  - mod_python


Installation of the Server
==========================
Pluto:
------
    cd <wherever>
    git clone git@git.scc.kit.edu:lo0018/pluto.git

    cd /var/www
    ln -s <wherever>/pluto/server sd
    ln -s sd/index.html .  # optional
    mkdir assertions
    chown www-data:www-data assertions
    chmod 700 assertions

Apache:
-------
Modify apache config (e.g. /etc/apache2/sites-enabled/default-ssl)
Add some section like this for shiboleth and mod_python:

    <Location /sd>
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        ShibRequestSetting exportAssertion true
        require valid-user
    </Location>
    <Directory /var/www/sd/>
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        #AddHandler cgi-script .cgi .py
        #AddHandler cgi-script .cgi .php
        AddHandler mod_python .py
        PythonHandler /var/www/sd/sso.py
        #PythonHandler mod_python.publisher
        PythonDebug on
        Order allow,deny
        Allow from all
    </Directory>
    <Directory /var/www/assertions/>
        AllowOverride None
        Options -ExecCGI -MultiViews -SymLinksIfOwnerMatch -Indexes
        Order allow,deny
        Allow from all
    </Directory>

Shibboleth:
-----------
The shibboleth configuration used was based on these ones:
SP Setup howto: https://www.switch.ch/aai/docs/shibboleth/SWITCH/latest/sp/deployment/
General shibboleth doc: https://wiki.shibboleth.net/confluence

Configure shibboleth to:
1. Support the exportLocation, i.e. your Sessions tag in
   /etc/shibboleth/shibboleth2.xml should look like this:
        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
            checkAddress="false" handlerSSL="true" cookieProps="https"
            exportLocation="/GetAssertion"
            exportACL="141.52.160.10"
        >

2. Add support for ECP, i.e. your SSO tag in
   /etc/shibboleth/shibboleth2.xml should look like this:
        <SSO type="SAML2" Location="/ECP"
            ECP="true" discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-Test/wayf">
          SAML2 SAML1
        </SSO>

Testing the installation with the client
========================================
./pluto/client/ecp-phpinfo
    Will execute phpinfo on the server at https://saml-delegation.data.kit.edu/sd/p.php

    If you're asked for the password and then see some output of phpinfo.
    Please make sure NOT to mix up this output with error messages.

./pluto/client/saml-init
    Will log in with your IdP and create the files
        /tmp/samlup_u1000
        /tmp/samlurl_u1000
    Which you can use to log in to SAML enabled ssh services such as
    <eppn>@fed-ssh.data.kit.edu (This service is currently being setup)