On Wed, Nov 18, 2015 at 12:39 PM, Shweta <
shweta...@gmail.com> wrote:
> I guess the PDO metadata patch unique to your use case.
It was a patch we found on this list to use a database for metadata
rather than local files.
> The backend Shib IDP
> means, that the requesting SP comes to the SSP proxy, where the
> saml20-idp-remote.php is configured to send to Shib IDP? Can you briefly
> explain the flow and how configs are setup here?
We have application SPs (a mix of SSP, mod_auth_mellon, omniauth-saml,
passenger-saml, native inside application (Java), and Shibboleth) that
point to the IdP side of our proxy. Our proxy IdP is configured to
advertise (via <md:Extensions><shibmd:Scope>our-domain</></>) that
it’s authoritative for our domain so that the SPs will accept scoped
attributes using our domain from the proxy. It is also configured to
use ‘default-sp' for authentication. On the SP side of our proxy
(‘default-sp’) the SP is registered with our campus IdP (Shibboleth).
We’re using puppet to build docker images, then injecting
configuration via volume mounts and environment variables / files, so
we use environment variable all over our configuration; this enables
us to run the same idpproxy image on different subdomains against dev
and prod IdPs. Additionally, our idpproxy image is just a few files
dropped on top of a base LAMP + SSP image, which already includes the
metadata for all our IdPs and proxies. I’ll explain the environment
variables below:
In authsources.php:
'default-sp' => array(
'saml:SP',
'privatekey' => 'idpproxy.key',
'certificate' => 'idpproxy.pem',
'entityID' => $_SERVER['ENV_ENTITY_ID'],
'idp' => $_SERVER['ENV_IDP'],
'authproc' => array(
20 => 'saml:NameIDAttribute',
),
ENV_ENTITY_ID is the SAML entity ID for the SP side of the proxy
ENV_IDP is the SAML entity ID for the campus IdP.
In config.local.php (included from config.php):
$config['metadata.sources'][] = array(
'type' => 'pdo',
'dsn' => 'mysql:host=' . $_SERVER['RDS_HOSTNAME']
. ';dbname=' . $_SERVER['RDS_DB_NAME'],
'username' => $_SERVER['RDS_USERNAME'],
'password' => $_SERVER['RDS_PASSWORD'],
'tablePrefix' => 'sspmd_'
);
$config["enable.saml20-idp"] = true;
All our applications use the RDS_* variables to access their
databases; the names came from an early setup of other applications on
AWS Elastic Beanstalk.
All our SSP configurations use the same database for session state,
and our idpproxy uses the PDO patch to access metadata from a
database.
In saml20-idp-hosted.php:
$metadata[$_SERVER['ENV_ENTITY_ID'] . 'idp'] = array(
'host' => $_SERVER['ENV_DOMAIN'],
/* X.509 key and certificate. Relative to the cert directory. */
'privatekey' => 'idpproxy.key',
'certificate' => 'idpproxy.pem',
// use the local SP for authentication
'auth' => 'default-sp',
'scope' => array ('our-domain'),
'signature.algorithm' =>
'
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
'attributes.NameFormat' =>
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
1 => array(
'class' => 'saml:TransientNameID',
),
2 => array(
'class' => 'saml:PersistentNameID',
'attribute' => 'eduPersonPrincipalName',
),
3 => array(
'class' => 'saml:AttributeNameID',
'attribute' => 'mail',
'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
),
// Convert LDAP names to oids.
99 => array(
'class' => 'core:AttributeMap',
'name2oid',
'%duplicate',
),
100 => array(
'class' => 'core:AttributeMap',
'mail' => array('mail', 'email'),
'displayName' => array('displayName', 'name'),
),
),
);
ENV_ENTITY_ID is the same as in authsources.php
ENV_DOMAIN is the hostname for the idpproxy
Since our applications using SSP as an SP prefer attribute names to
OIDs, our base LAMP + SSP image maps OIDs to names; authproc 99 maps
those names back to OIDs, while preserving the named attributes (the
‘%duplicate’ option) for SAML SPs behind the proxy that need / prefer
OIDs.
We also have some apps with “interesting” ideas about attribute
naming, so authproc 100 adds extra names for some common attributes.
> Can you please elaborate on adding all federated IdP domains to the scope
> array? specifically is this a config.php, saml20-idp-remote/hosted.php
> thing? We have the metadata for all the campuses we are planning to put
> Proxy in front of, in an xml (Shib format). Extracting from that was the
> plan, however I have also seen some posts for metadata_converter.php as part
> of SSP that can help with that ( still to explore).
InCommon, and presumably some other federations based on it, publish
‘scope’ metadata for IdPs - a list of scopes that each IdP is allowed
to use. The idea is that exampleA.com’s IdP should not be releasing
scoped attributes using exampleB.com, unless exampleB has instructed
the federation that exampleA is allowed to do that. By default
Shibboleth (and SSP, I think) SPs will rejected scoped attributes from
an IdP for scopes not listed in that IdP’s metadata. InCommon
participants use two main scoped attributes - eduPersonPrincipalName
and eduPersonScopedAffiliation - so it’s important for IdPs in
InCommon to list the correct scopes; it may be less necessary in other
federations.
> Your second consideration is exactly why we have to do this. Cloud based SPs
> and more lacking than others to handle a federated/ multi-institution SSO
> for a single instance at the SP. We are also going to have only a handful of
> these.
Sometimes the vendors need more experience with SAML, other times
they’re restricted by the SAML implementation they chose (most
commercial implementations don’t have support for automated metadata
yet, as an example).
Scotty