README 3.13 KB
Newer Older
marcus-tun's avatar
marcus-tun committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
The server stuff is currently coded to reside in 
<document-root>/sd/


The client stuff is pretty much standalone


Dependencies:
- Server:
  - ntp syncronised time
  - mod_python


Installation of the Server
==========================
Pluto:
------
    cd <wherever>
    git clone git@git.scc.kit.edu:lo0018/pluto.git
20
21
22
    for i in server/js/seedrandom server/js/twofish; do
        (cd $i; git submodule init; git submodule update)
    done
marcus-tun's avatar
marcus-tun committed
23
24
25
26

    cd /var/www
    ln -s <wherever>/pluto/server sd
    ln -s sd/index.html .  # optional
marcus-tun's avatar
marcus-tun committed
27
    ln -s sd/idplist.txt .
marcus-tun's avatar
marcus-tun committed
28
    mkdir assertions
29
    touch assertions/index.html # note that directory listings will also be forbidden for the assertions folder in apache config
marcus-tun's avatar
marcus-tun committed
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
    chown www-data:www-data assertions
    chmod 700 assertions

Apache:
-------
Modify apache config (e.g. /etc/apache2/sites-enabled/default-ssl)
Add some section like this for shiboleth and mod_python:

    <Location /sd>
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        ShibRequestSetting exportAssertion true
        require valid-user
    </Location>
    <Directory /var/www/sd/>
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        #AddHandler cgi-script .cgi .py
        #AddHandler cgi-script .cgi .php
        AddHandler mod_python .py
        PythonHandler /var/www/sd/sso.py
        #PythonHandler mod_python.publisher
        PythonDebug on
        Order allow,deny
        Allow from all
    </Directory>
    <Directory /var/www/assertions/>
        AllowOverride None
        Options -ExecCGI -MultiViews -SymLinksIfOwnerMatch -Indexes
        Order allow,deny
        Allow from all
    </Directory>

Shibboleth:
-----------
The shibboleth configuration used was based on these ones:
SP Setup howto: https://www.switch.ch/aai/docs/shibboleth/SWITCH/latest/sp/deployment/
General shibboleth doc: https://wiki.shibboleth.net/confluence

Configure shibboleth to:
1. Support the exportLocation, i.e. your Sessions tag in
   /etc/shibboleth/shibboleth2.xml should look like this:
        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
            checkAddress="false" handlerSSL="true" cookieProps="https"
            exportLocation="/GetAssertion"
            exportACL="141.52.160.10"
        >

2. Add support for ECP, i.e. your SSO tag in
   /etc/shibboleth/shibboleth2.xml should look like this:
        <SSO type="SAML2" Location="/ECP"
            ECP="true" discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-Test/wayf">
          SAML2 SAML1
        </SSO>

Testing the installation with the client
========================================
./pluto/client/ecp-phpinfo
    Will execute phpinfo on the server at https://saml-delegation.data.kit.edu/sd/p.php

    If you're asked for the password and then see some output of phpinfo.
    Please make sure NOT to mix up this output with error messages.

./pluto/client/saml-init
    Will log in with your IdP and create the files
        /tmp/samlup_u1000
        /tmp/samlurl_u1000
    Which you can use to log in to SAML enabled ssh services such as
    <eppn>@fed-ssh.data.kit.edu (This service is currently being setup)