I'm trying to enable discopower so that it would offer all the SAML
IdP's in a SAML authsource, as well as numerous other authsources
(Google, LinkedIn, ...) so that a user has the choice of source when
clicking log in.
In short, I want this: https://tnc2012.terena.org/core/user/login
I'm scratching my head how to achieve this. Obviously, the discopower
module is needed. So I "touch enable" it in its module directory. There
is also a config-template, which I copied to config/.
There's a bit of a missing link how to make an SP use that module
though. My application currently does the usual
$as = new SimpleSAML_Auth_Simple('google');
$as->requireAuth();
(SP-only host) which works fine, but I need to specify the authsource
(which I don't want - it should go to discopower instead and let the
user choose). The function needs an argument though. Discopower is not
in itself an authsource, right?
I discovered in Documentation / 1.8 / ukaccess
"Dedicated documentation for DiscoPower module, TBD."
I think I would need the info from that spot...
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
On 1 February 2012 08:55, Stefan Winter <stefan...@restena.lu> wrote:
> Hello,
>
> I'm trying to enable discopower so that it would offer all the SAML
> IdP's in a SAML authsource, as well as numerous other authsources
> (Google, LinkedIn, ...) so that a user has the choice of source when
> clicking log in.
>
> In short, I want this: https://tnc2012.terena.org/core/user/login
The discopower page in question is this one:
https://login.terena.org/wayf/module.php/core/authenticate.php?as=default-sp
This is configured in config/authsources.php. Our config looks like this:
'default-sp' => array(
'saml:SP',
'name' => array(
'en' => 'TERENA Service Provider Proxy',
),
'description' => array(
'en' => 'A Service Provider Proxy for all TERENA Federated Services',
),
'OrganizationName' => array(
'en' => 'TERENA',
),
'OrganizationDisplayName' => array(
'en' => 'TERENA',
),
'OrganizationURL' => array(
'en' => 'http://www.terena.org/',
),
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based
on the metadata URL.
// For future migrations, and for human friendlyness, pick a
descriptive URL style entityID.
// For clarity sake, this could actually redirect to a descriptive
page as well.
'entityID' => 'https://terena.org/sp',
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of
available IdPs.
'idp' => NULL,
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
'discoURL' => '/wayf/module.php/discopower/disco.php',
# Sign by default - 2010-12-17 DV
# This keeps at least wayf.dk happy when consuming Kalmar metadata
'redirect.sign' => TRUE,
# Transition to new key
#'privatekey'=> 'server.pem', 'certificate' => 'server.crt',
'new_privatekey' => 'new.pem', 'new_certificate' => 'new.crt',
# Done with new key
'privatekey' => 'new.pem', 'certificate' => 'new.crt',
),
I'd say that 'idp' => NULL and 'discoURL' =>
'/wayf/module.php/discopower/disco.php' is the magic combo...
On a side note: this all is configured on our SP proxy.
Connecting so many IdPs to a single SP is also perfectly possible, but
if you then later decide you want to federate another SP, then you'd
have to do it all over again.
If the SPs are within the same administrative/legal domain, I would
recommend very much to set up an SP proxy, and spent any 'connecting
efforts' there.
The proxy can be configured to limit the list of IdPs that are 'seen'
by real SPs behind it. This way you can for instance skip all guest
providers for a certain SP.
Another advantage of this is that any SPs behind the proxy can be
statically configured to just point to the proxy, and don't have to
run wayf-like intermediate portals on their own.
I found this to be easy to understand, configure, and maintain.
Dick
--
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands
I'm trying to implement something similar to what Stefan is trying to do
and, unfortunatelly, I'm also stuck...
Using Metarefresh and Discopower modules I managed to create several
Discopower tags containg different SAML IdP-s, but I can't figure out
how to create additional tag with non-saml IdP-s in a Discopower menu :-(
At the moment, Metarefresh module is configured to fetch and prepare all
metadata that is required for Discopower, but I don't know how to
configure Metarefresh to generate data about non-SAML authentication
services (Facebook, Google, etc.) for the separate tag in the Discopower
module.
For example, if you go to the following URL:
http://monitor.eduroam.org/sp/module.php/core/authenticate.php
you will see the list of configured authentication sources, but I don't
want 'facebook', 'linkedin' and 'google' to be displayed there. Instead,
I would like those authentication sources to be displayed at the
separate Discopower tag when user clicks on 'default-sp'.
Any recommendations on how to fix this problem?
Best Regards,
--
Dubravko Vončina
Information Systems and Applications Department
University of Zagreb, University Computing Centre (Srce), www.srce.unizg.hr
dubravko...@srce.hr, tel: +385 1 616 5852, fax: +385 1 616 5559
On 7 February 2012 16:26, Dubravko Voncina <dubravko...@srce.hr> wrote:
> Hi Dick,
>
> I'm trying to implement something similar to what Stefan is trying to do
> and, unfortunatelly, I'm also stuck...
>
> Using Metarefresh and Discopower modules I managed to create several
> Discopower tags containg different SAML IdP-s, but I can't figure out how to
> create additional tag with non-saml IdP-s in a Discopower menu :-(
>
> At the moment, Metarefresh module is configured to fetch and prepare all
> metadata that is required for Discopower, but I don't know how to configure
> Metarefresh to generate data about non-SAML authentication services
> (Facebook, Google, etc.) for the separate tag in the Discopower module.
>
> For example, if you go to the following URL:
>
> http://monitor.eduroam.org/sp/module.php/core/authenticate.php
>
> you will see the list of configured authentication sources, but I don't want
> 'facebook', 'linkedin' and 'google' to be displayed there. Instead, I would
> like those authentication sources to be displayed at the separate Discopower
> tag when user clicks on 'default-sp'.
>
> Any recommendations on how to fix this problem?
This is actually a different problem, or should we say feature ;-)
We have a separate instance of SSP that is used to 'bridge' non-SAML IdPs.
That bridge instance contains authsource entries for twitter, facebook, etc:
https://login.terena.org/bridge/module.php/core/authenticate.php
We had to patch www/saml2/idp/SSOService.php to allow passing
'entityID' using GET (see attached diff).
This enabled us to include the (now SAML) metadata that points to the entries.
Snippet of saml20-idp-remote on the SP Proxy:
$metadata['https://login.terena.org/bridge/twitter'] = array (
'tags' => array('all', 'guest', 'socialnet'),
'name' => array(
'en' => 'Twitter',
),
'metadata-set' => 'saml20-idp-remote',
'entityid' => 'https://login.terena.org/bridge/saml2/idp/metadata.php',
'SingleSignOnService' =>
'https://login.terena.org/bridge/saml2/idp/SSOService.php?entityID=https://login.terena.org/bridge/twitter',
'SingleLogoutService' =>
'https://login.terena.org/bridge/saml2/idp/SingleLogoutService.php',
'certFingerprint' => 'F2A7C9BA9AFB251C858B2E94461D7A3B96118DF7',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
'metadata.sign.enable' => TRUE,
);
$metadata['https://login.terena.org/bridge/facebook'] = array (
'tags' => array('all', 'guest', 'socialnet'),
'name' => array(
'en' => 'Facebook',
),
'metadata-set' => 'saml20-idp-remote',
'entityid' => 'https://login.terena.org/bridge/saml2/idp/metadata.php',
'SingleSignOnService' =>
'https://login.terena.org/bridge/saml2/idp/SSOService.php?entityID=https://login.terena.org/bridge/facebook',
'SingleLogoutService' =>
'https://login.terena.org/bridge/saml2/idp/SingleLogoutService.php',
'certFingerprint' => 'F2A7C9BA9AFB251C858B2E94461D7A3B96118DF7',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
'metadata.sign.enable' => TRUE,
);
As you can see, the correct discopower tags are put there as well.
An attempt to visualise this can be seen on page 5 of this
presentation: https://tnc2011.terena.org/getfile/801
To clarify the various names and SSP instances:
https://login.terena.org/wayf = SP proxy
https://login.terena.org/bridge = bridge
https://login.terena.org/idp = TERENA secretariat IdP - this is own
office IdP, which also connects to SP proxy.
Hope this helps.
Thank you for the very useful tips.
It took me a while to figure out every single thing that I have to
configure, but in the end everything seems to work perfectly :-)
Best Regards,
--
Dubravko Vončina
Information Systems and Applications Department
University of Zagreb, University Computing Centre (Srce), www.srce.unizg.hr
dubravko...@srce.hr, tel: +385 1 616 5852, fax: +385 1 616 5559
On 07.02.2012. 19:28, Dick Visser wrote:
> Hi Dubravko