forked from fedushare/mech_saml_ec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
244 lines (165 loc) · 7.34 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
This is an open source implementation of https://tools.ietf.org/html/draft-ietf-kitten-sasl-saml-ec
View and report issues at: https://github.com/jbasney/mech_saml_ec/issues
Discuss at: https://groups.google.com/d/forum/saml-ec-gssapi-dev
-------------------------------------
Installing required RPMs:
Instructions for obtaining Shibboleth RPMs are available at:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall
For RHEL/CentOS based systems the basic steps are:
(1) Create a new file /etc/yum.repos.d/shibboleth.repo:
# sudo echo \
'[Shibboleth]
name=Shibboleth
baseurl=http://download.opensuse.org/repositories/security://shibboleth/<OS>
enabled=1
gpgcheck=0
And replace the <OS> at the end of baseurl with the target operating system.
(2) Install required packages with "yum":
# sudo yum -y install \
shibboleth \
shibboleth-devel \
libxerces-c-3_1 \
libxerces-c-devel \
libsaml7 \
libsaml-devel \
opensaml-schemas \
liblog4shib1 \
liblog4shib-devel \
libxml-security-c16 \
libxml-security-c-devel \
libxmltooling5 \
libxmltooling-devel \
xmltooling-schemas \
libevent \
libxml2-devel \
libtool \
gcc gcc-c++
(3) If you are running RHEL6 (may also apply to CentOS6), you may encounter a
warning about libcurl which causes the library to segfault. This is due to
Red Hat using Netscape Security Services stack (NSS) instead of OpenSSL for
the curl libraries. See the following for more information:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRH6
-------------------------------------
Configuration:
The library depends on correct configuration of the Shibboleth Service
Provider (SP) software. In particular, you need to choose an entityID for
your SP, create metadata for the SP (which is needed by any Identity Provider
(IdP) you use), and configure a few files in /etc/shibboleth/. In
particular, you need to modify the following files.
(1) /etc/shibboleth/shibboleth2.xml
This is the main Shibboleth SP configuration file. You should be able to use
the provided shibboleth2.xml.dist file as a starting point. You must set the
following sections:
(a) <ApplicationDefaults entityID="https://your.org/shibboleth"
REMOTE_USER="persistent-id targeted-id eppn"
signing="true">
The entityID is set to your chosen entityID and must match the entityID
in the metadata for the SP. "signing" must be set to true so that SAML
messages passed between the server and client are signed.
(b) <MetadataProvider ...>
You must have at least one MetadataProvider section so the library
can verify the IdP used to authenticate the user.
(2) /etc/shibboleth/attribute-map.xml
In order to get a local user name for the authenticated user, you must map
one attribute released by the IdP to "local-login-user". This actually
requires two steps:
(a) The IdP must be configured to release an attribute to your SP's
entityID. It's not critical WHICH attribute is released, as long as
the IdP and SP agree. For this discussion, let's say the IdP has
released "givenName" (urn:oid:2.5.4.42).
(b) On the SP side, map this attribute to "local-login-user" by adding the
following to attribute-map.xml:
<Attribute name="urn:oid:2.5.4.42" id="local-login-user"/>
-------------------------------------
Testing your IdP configuration:
Before trying the SAML EC GSS mechanism, first confirm that your SAML
IdP supports the SAML ECP Profile. A testecp.sh shell script (from the
Shibboleth project) is provided for this purpose. Edit the testecp.sh
file to set the needed parameters, then run it:
# ./testecp.sh
Enter host password for user 'example':
ECP request successful!
-------------------------------------
Building The Code:
# ./autogen.sh
# ./configure
# make
-------------------------------------
Running in Debug Mode
Copious debugging info can be seen by setting the environment variable
MECH_SAML_EC_DEBUG.
$ export MECH_SAML_EC_DEBUG=anyvalue
-------------------------------------
Testing Library with MIT GSS example programs:
1. Start Server as follows. In one window, run:
# ./testserver.sh
- OR -
# cd gss-sample
# ./gss-server -port 3490 test
2. Invoke client as follows. In a second window, run:
# ./testclient.sh <username> <password>
- OR -
# cd gss-sample
# export SAML_EC_IDP='https://idp.protectnetwork.org/protectnetwork-idp/profile/SAML2/SOAP/ECP' # Use your IdP's ECP endpoint
# ./gss-client -nw -nx -nm -port 3490 -user <username> -pass <password> -mech "{ 1 3 6 1 4 1 11591 4 6 }" localhost test testmessage
-------------------------------------
Using ProtectNetwork's IdP:
If you don't have an ECP-enabled IdP already, one option is to use
ProtectNetwork.
First, federate your SP with the ProtectNetwork IdP:
http://www.protectnetwork.org/support/integrate-protectnetwork-metadata/shibboleth-sp2x
As documented on the above page, you must configure your SP with
ProtectNetwork's metadata and register your SP with ProtectNetwork.
To register your SP with ProtectNetwork, you must first apply for a
ProtectNetwork Administrator account:
https://www.protectnetwork.org/pnidm/adminRegistration.html
Then use the 'Administrator Login' link:
https://www.protectnetwork.org/pnidm/admin/login.jsp
Then click the Add Site button to add a new SP and wait for approval.
To actually log in via SAML ECP, you need to register for a
ProtectNetwork UserID:
https://www.protectnetwork.org/pnidm/registration.html
Finally, you can use the ProtectNetwork IdP's ECP endpoint to log in
with your ProtectNetwork UserID and password:
export SAML_EC_IDP='https://idp.protectnetwork.org/protectnetwork-idp/profile/SAML2/SOAP/ECP'
-------------------------------------
Using with OpenSSH for User Authentication:
Download and install latest krb5 (>= 1.10) from http://web.mit.edu/kerberos/
cd krb5-1.10.3/src
CFLAGS=-g ./configure --prefix=$HOME/krb5-install --enable-shared
make
make install
Place the following in $HOME/krb5-install/etc/gss/mech :
saml-ec 1.3.6.1.4.1.11591.4.6 mech_saml_ec.so
Place mech_saml_ec.so in $HOME/krb5-install/lib/gss/
Place the following in $HOME/krb5-install/etc/krb5.conf :
[libdefaults]
default_realm = YOUR_DOMAIN_ALL_CAPS
Download and install Project Moonshot OpenSSH modified for SAML EC
git clone [email protected]:jbasney/moonshot-openssh.git
cd moonshot-openssh/
./configure --prefix=$HOME/openssh-moonshot --with-kerberos5=$HOME/krb5-install
make install
NOTE: If krb5 version is too old, compiler errors would look like:
undefined reference to `gss_pname_to_uid'
undefined reference to `gss_userok'
Put your username/password with the IdP in ~/.gss_eap_id, like:
username
password
Enable GSSAPI, disable Privilege Separation in openssh-moonshot/etc/sshd_config:
GSSAPIAuthentication yes
UsePrivilegeSeparation no
Enable GSSAPI in openssh-moonshot/etc/ssh_config:
GSSAPIAuthentication yes
Run Server as root:
# cd openssh-moonshot/sbin
# ./sshd -p 2222 -ddd -r
Run Client:
$ # First set IdP as shown next
$ export SAML_EC_IDP=https://idp.protectnetwork.org/protectnetwork-idp/profile/SAML2/SOAP/ECP
$ cd openssh-moonshot/bin
$ ./ssh -vvv -p 2222 localhost
-------------------------------------
Acknowledgements:
Development of this software was supported in part by a gift from the
Internet Society (www.internetsociety.org).