forked from fedushare/mech_saml_ec
-
Notifications
You must be signed in to change notification settings - Fork 1
dariaphoebe/mech_saml_ec
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
This is an open source implementation of https://tools.ietf.org/html/draft-ietf-kitten-sasl-saml-ec. View and report issues at: https://github.com/jbasney/mech_saml_ec/issues Discuss at: https://groups.google.com/d/forum/saml-ec-gssapi-dev ------------------------------------- Installing required RPMs: (Instructions taken from http://www.project-moonshot.org/devwiki/ConfiguringRHEL/) (Do we need to use Moonshot RPMs? See fedushare#2). (1) Install EPEL: # sudo rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm # sudo yum install epel-release (2) If using SELinux, set it to permissive: # sudo echo 0 > /selinux/enforce (3) Create a new file /etc/yum.repos.d/moonshot.repo: # sudo echo \ '[Moonshot] name=Moonshot baseurl=http://yum.dev.ja.net/RPMS/x86_64/ enabled=1 gpgcheck=0 [Moonshot-source] name=Moonshot Source baseurl=http://yum.dev.ja.net/SRPM/ enabled=0 gpgcheck=0' \ > /etc/yum.repos.d/moonshot.repo (4) Install Moonshot RPMs with "yum": # sudo yum -y install \ shibboleth \ shibboleth-devel \ libxerces-c-3_1 \ libxerces-c-devel \ libsaml7 \ libsaml-devel \ opensaml-schemas \ liblog4shib1 \ liblog4shib-devel \ libxml-security-c16 \ libxml-security-c-devel \ libshibresolver1 \ libshibresolver-devel \ libxmltooling5 \ libxmltooling-devel \ xmltooling-schemas \ libevent \ libxml2-devel \ libtool \ gcc gcc-c++ (5) If you are running RHEL6 (may also apply to CentOS6), you may encounter a warning about libcurl which causes the library to segfault. This is due to Red Hat using Netscape Security Services stack (NSS) instead of OpenSSL for the curl libraries. See the following for more information: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRH6 ------------------------------------- Configuration: The library depends on correct configuration of the Shibboleth Service Provider (SP) software. In particular, you need to choose an entityID for your SP, create metadata for the SP (which is needed by any Identity Provider (IdP) you use), and configure a few files in /etc/shibboleth/. In particular, you need to modify the following files. (1) /etc/shibboleth/shibboleth2.xml This is the mail Shibboleth SP configuration file. You should be able to use the provided shibboleth2.xml.dist file as a starting point. You must set the following sections: (a) <ApplicationDefaults entityID="https://your.org/shibboleth" REMOTE_USER="persistent-id targeted-id eppn" signing="true"> The entityID is set to your chosen entityID and must match the entityID in the metadata for the SP. "signing" must be set to true so that SAML messages passed between the server and client are signed. (b) <MetadataProvider ...> You must have at least one MetadataProvider section so the library can verify the IdP used to authenticate the user. (2) /etc/shibboleth/attribute-map.xml In order to get a local user name for the authenticated user, you must map one attribute released by the IdP to "local-login-user". This actually requires two steps: (a) The IdP must be configured to release an attribute to your SP's entityID. It's not critical WHICH attribute is released, as long as the IdP and SP agree. For this discussion, let's say the IdP has released "givenName" (urn:oid:2.5.4.42). (b) On the SP side, map this attribute to "local-login-user" by adding the following to attribute-map.xml: <Attribute name="urn:oid:2.5.4.42" id="local-login-user"/> ------------------------------------- Building The Code: # ./autogen.sh # ./configure --with-opensaml=/opt/moonshot/ --with-shibresolver=/opt/moonshot/ --with-shibsp=/opt/moonshot/ # make ------------------------------------- Testing Library with MIT GSS example programs: 1. Start Server as follows. In one window, run: # ./testserver.sh - OR - # cd gss-sample # export LD_LIBRARY_PATH=/opt/moonshot/lib64 # ./gss-server -port 3490 test 2. Invoke client as follows. In a second window, run: # ./testclient.sh <username> <password> - OR - # cd gss-sample # export LD_LIBRARY_PATH=/opt/moonshot/lib64 # export SAML_EC_IDP='https://boingo.ncsa.uiuc.edu/idp/profile/SAML2/SOAP/ECP' # Use your IdP's ECP endpoint # ./gss-client -nw -nx -nm -port 3490 -user <username> -pass <password> -mech "{ 1 3 6 1 4 1 11591 4 6 }" localhost test testmessage
About
An open source implementation of draft-ietf-kitten-sasl-saml-ec
Resources
Stars
Watchers
Forks
Packages 0
No packages published