The server stuff is currently coded to reside in 
<document-root>/sd/


The client stuff is pretty much standalone


Dependencies:
- Server:
  - ntp syncronised time
  - mod_python
- Client:
  libcrypt-twofish-perl 
  libcrypt-blowfish-perl 
  libcrypt-generatepassword-perl
  libcrypt-cbc-perl

- Interoperability, local environment, e.g. for python:
   virtualenv .env
   source .env/bin/activate
   pip install -r interop/py/requirements.txt

Installation of the Server
==========================
Pluto:
------
    cd <wherever>
    git clone git@git.scc.kit.edu:lo0018/pluto.git
    git submodule init
    git submodule update

    cd /var/www
    ln -s <wherever>/pluto/server sd
    ln -s sd/index.html .  # optional
    ln -s sd/idplist.txt .
    mkdir assertions
    touch assertions/index.html # note that directory listings will also be forbidden for the assertions folder in apache config
    chown www-data:www-data assertions
    chmod 700 assertions

Apache:
-------
Modify apache config (e.g. /etc/apache2/sites-enabled/default-ssl)
Add some section like this for shiboleth and mod_python:

    <Location /sd>
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        ShibRequestSetting exportAssertion true
        require valid-user
    </Location>
    <Directory /var/www/sd/>
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        #AddHandler cgi-script .cgi .py
        #AddHandler cgi-script .cgi .php
        AddHandler mod_python .py
        PythonHandler /var/www/sd/sso.py
        #PythonHandler mod_python.publisher
        PythonDebug on
        Order allow,deny
        Allow from all
    </Directory>
    <Directory /var/www/assertions/>
        AllowOverride None
        Options -ExecCGI -MultiViews -SymLinksIfOwnerMatch -Indexes
        Order allow,deny
        Allow from all
    </Directory>

Shibboleth:
-----------
The shibboleth configuration used was based on these ones:
SP Setup howto: https://www.switch.ch/aai/docs/shibboleth/SWITCH/latest/sp/deployment/
General shibboleth doc: https://wiki.shibboleth.net/confluence

Configure shibboleth to:
1. Support the exportLocation, i.e. your Sessions tag in
   /etc/shibboleth/shibboleth2.xml should look like this:
        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
            checkAddress="false" handlerSSL="true" cookieProps="https"
            exportLocation="/GetAssertion"
            exportACL="141.52.160.10"
        >

2. Add support for ECP, i.e. your SSO tag in
   /etc/shibboleth/shibboleth2.xml should look like this:
        <SSO type="SAML2" Location="/ECP"
            ECP="true" discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-Test/wayf">
          SAML2 SAML1
        </SSO>

Testing the installation with the client
========================================
./pluto/client/ecp-phpinfo
    Will execute phpinfo on the server at https://saml-delegation.data.kit.edu/sd/p.php

    If you're asked for the password and then see some output of phpinfo.
    Please make sure NOT to mix up this output with error messages.

./pluto/client/saml-init
    Will log in with your IdP and create the files
        /tmp/samlup_u1000
        /tmp/samlurl_u1000
    Which you can use to log in to SAML enabled ssh services such as
    <eppn>@fed-ssh.data.kit.edu (This service is currently being setup)