Commit 79fe1881 authored by marcus-tun's avatar marcus-tun
Browse files

updated doku

parent e667c70e
The server stuff is currently coded to reside in
<document-root>/sd/
The client stuff is pretty much standalone
Dependencies:
- Server:
- ntp syncronised time
- mod_python
Installation of the Server
==========================
Pluto:
------
cd <wherever>
git clone git@git.scc.kit.edu:lo0018/pluto.git
cd /var/www
ln -s <wherever>/pluto/server sd
ln -s sd/index.html . # optional
mkdir assertions
chown www-data:www-data assertions
chmod 700 assertions
Apache:
-------
Modify apache config (e.g. /etc/apache2/sites-enabled/default-ssl)
Add some section like this for shiboleth and mod_python:
<Location /sd>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting exportAssertion true
require valid-user
</Location>
<Directory /var/www/sd/>
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
#AddHandler cgi-script .cgi .py
#AddHandler cgi-script .cgi .php
AddHandler mod_python .py
PythonHandler /var/www/sd/sso.py
#PythonHandler mod_python.publisher
PythonDebug on
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/assertions/>
AllowOverride None
Options -ExecCGI -MultiViews -SymLinksIfOwnerMatch -Indexes
Order allow,deny
Allow from all
</Directory>
Shibboleth:
-----------
The shibboleth configuration used was based on these ones:
SP Setup howto: https://www.switch.ch/aai/docs/shibboleth/SWITCH/latest/sp/deployment/
General shibboleth doc: https://wiki.shibboleth.net/confluence
Configure shibboleth to:
1. Support the exportLocation, i.e. your Sessions tag in
/etc/shibboleth/shibboleth2.xml should look like this:
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https"
exportLocation="/GetAssertion"
exportACL="141.52.160.10"
>
2. Add support for ECP, i.e. your SSO tag in
/etc/shibboleth/shibboleth2.xml should look like this:
<SSO type="SAML2" Location="/ECP"
ECP="true" discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-Test/wayf">
SAML2 SAML1
</SSO>
Testing the installation with the client
========================================
./pluto/client/ecp-phpinfo
Will execute phpinfo on the server at https://saml-delegation.data.kit.edu/sd/p.php
If you're asked for the password and then see some output of phpinfo.
Please make sure NOT to mix up this output with error messages.
./pluto/client/saml-init
Will log in with your IdP and create the files
/tmp/samlup_u1000
/tmp/samlurl_u1000
Which you can use to log in to SAML enabled ssh services such as
<eppn>@fed-ssh.data.kit.edu (This service is currently being setup)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment