shibboleths_lil_helper 1.0.1 → 1.0.2
Sign up to get free protection for your applications and to get access to all the features.
- data/README.markdown +46 -78
- data/VERSION +1 -1
- data/lib/slh/templates/_application_details.erb +1 -1
- data/shibboleths_lil_helper.gemspec +2 -2
- metadata +3 -3
data/README.markdown
CHANGED
@@ -1,18 +1,22 @@
|
|
1
1
|
About
|
2
2
|
=====
|
3
|
-
Shibboleth's Lil Helper is a tool that automates the generation of Apache/IIS Shibboleth Native Service Provider configuration & metadata files. It provides several benefits over manually configuring each NativeSp instance/server by:
|
3
|
+
Shibboleth's Lil Helper (slh) is a tool that automates the generation of Apache/IIS Shibboleth Native Service Provider configuration & metadata files. It provides several benefits over manually configuring each NativeSp instance/server by:
|
4
4
|
|
5
5
|
* __Providing a consistent configuration approach__ you can apply uniformly across all of the servers managed by your organization.
|
6
6
|
* Makes deployment automation possible, errors less frequent, and troubleshooting easier.
|
7
7
|
|
8
8
|
* __Dividing high level auth specs from actual NativeSp configuration__
|
9
|
-
* Programmers can focus on high level goals like "protect files underneath the '/secure' directory on 'somewebsite.com'" rather than grappeling with the bewildering complexity of the NativeSp's interrelated XML files, the Shibboleth protocal, SAML, etc.
|
9
|
+
* Programmers can focus on high level goals like "protect files underneath the '/secure' directory on 'somewebsite.com'" rather than grappeling with the bewildering complexity of the NativeSp's interrelated XML files, the Shibboleth protocal, SAML, etc.
|
10
10
|
|
11
11
|
* __Providing conceptually simple linear process__ that distills the main steps associated with Shibboleth integration.
|
12
12
|
|
13
|
+
* Verifying metadata consistency across sites & hosts associated with
|
14
|
+
particular Shibboletht SP entity_id.
|
15
|
+
|
13
16
|
DISCLAIMER
|
14
17
|
-------------------------
|
15
18
|
All you see here on Github is the readme, no code yet.
|
19
|
+
|
16
20
|
This is released as a RubyGem right now, we hope to push the source up
|
17
21
|
here once things stabilize further
|
18
22
|
|
@@ -31,8 +35,7 @@ Installation
|
|
31
35
|
============
|
32
36
|
* Pre-requisites:
|
33
37
|
* Rubygems: http://rubygems.org/pages/download
|
34
|
-
|
35
|
-
|
38
|
+
|
36
39
|
* Via Ruby Gems:
|
37
40
|
* gem install shibboleths_lil_helper
|
38
41
|
* Then type `slh` -- this provides more detailed/actionable
|
@@ -41,93 +44,59 @@ Installation
|
|
41
44
|
Assumptions
|
42
45
|
===========
|
43
46
|
* Shibboleth Native Service Provider Apache/IIS is already installed on your target web servers.
|
44
|
-
* The X509Certificate (sp-cert.pem, sp-key.pem) keys are in their default locations along-side shibboleth2.xml.
|
45
|
-
* The Shibboleth apache module is loaded globally for all vHosts
|
46
|
-
*
|
47
|
-
method, manual is git cloned
|
47
|
+
* The X509Certificate (sp-cert.pem, sp-key.pem) keys are in their default locations along-side shibboleth2.xml.
|
48
|
+
* The Shibboleth apache module is loaded globally for all vHosts.
|
49
|
+
* You are integrating with a single Identity Provider.
|
48
50
|
|
49
51
|
Concept
|
50
52
|
=======
|
51
53
|
|
52
|
-
|
53
|
-
via an easily readable ruby parseable domain specific language. From these specs, Shibboleth's Lil Helper is capable of generating all of the required XML files you will need to integrate with
|
54
|
-
a Shibboleth Identify Provider (Idp).
|
54
|
+
All configuration and authentication specs for all Shibboleth SP instances are specified in a single ruby parseable "shibboleths_lil_helper/config.rb" file. From these specs, slh is capable of generating all of the required XML files you will need to integrate with a Shibboleth Identify Provider (Idp).
|
55
55
|
|
56
56
|
The generation of these XML files happens through a command line tool
|
57
57
|
called "slh". Each particular task is broken into sub-commands such as
|
58
|
-
"initialize", "generate", or "
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
end
|
74
|
-
end
|
75
|
-
|
76
|
-
an invocation of
|
77
|
-
|
78
|
-
`slh generate`
|
79
|
-
|
80
|
-
will produce the a dir structure and various config files
|
81
|
-
associated with these specifications for each strategy, host, and site.
|
82
|
-
|
83
|
-
shibboleths_lil_helper/
|
84
|
-
generated/
|
85
|
-
<strategy>/ (apache_shib_test_server)
|
86
|
-
<hostname>/ (asr-web-dev4.oit.umn.edu)
|
87
|
-
idp_metadata.xml
|
88
|
-
shib_apache.conf
|
89
|
-
shibboleth2.xml
|
90
|
-
sp_metadata_for_host_to_give_to_idp.xml
|
91
|
-
<site>/ (shib-php-test.asr.umn.edu)
|
92
|
-
fetched_metadata.xml
|
58
|
+
"initialize", "generate", "verify_metadata", or "generate_metadata" that perform various tasks.
|
59
|
+
|
60
|
+
* It all starts with:
|
61
|
+
|
62
|
+
mkdir shibboleth_deployer
|
63
|
+
cd shibboleth_deployer
|
64
|
+
slh initialize
|
65
|
+
|
66
|
+
This creates a config file with example code you'll need to change to work.
|
67
|
+
|
68
|
+
* Go in and edit shibboleths_lil_helper/config.rb to reflect your setup,
|
69
|
+
adding
|
70
|
+
* entity id
|
71
|
+
* idp metadata url
|
72
|
+
* hosts, sites, and paths to protect for each for each site
|
93
73
|
|
94
74
|
|
75
|
+
* From here you type:
|
76
|
+
|
77
|
+
slh generate
|
78
|
+
|
79
|
+
which will generate shibboleth2.xml and a couple others
|
80
|
+
Now--you go put these files on the hosts they have been generated for.
|
81
|
+
|
95
82
|
* The generated shibboleth2.xml will have RequestMap specs that restrict
|
96
|
-
access to
|
83
|
+
access to specified paths you have
|
97
84
|
|
98
|
-
* These generated files should be checked into a source control repository.
|
99
85
|
|
100
|
-
|
86
|
+
* Once you've copied the shibboleth2.xml up to your target hosts, you
|
87
|
+
can type:
|
101
88
|
|
102
|
-
|
103
|
-
* has one IDP entity id (:idp_metadata_url)
|
104
|
-
* has one service provider entity id (:sp_entity_id)
|
105
|
-
* has many hosts
|
106
|
-
* a host (for_host)
|
107
|
-
* has many sites
|
108
|
-
* a site (for_site)
|
109
|
-
* has many site paths that have various auth rules
|
110
|
-
* a site path (protect)
|
111
|
-
* has a "flavor" such as the following specified like
|
112
|
-
*protect "optional_auth", :flavor => :authentication_optional*
|
113
|
-
* authentication_required
|
114
|
-
* authentication_optional
|
115
|
-
* authentication_required_for_specific_users
|
89
|
+
slh verify_metadata
|
116
90
|
|
91
|
+
which will tell some of the things that are probably incorrect with
|
92
|
+
your setup and how to fix it. (like copying the sp-key.pem and sp-cert.pem keys associated with the :is_key_originator site to all of the other hosts)
|
117
93
|
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
|
124
|
-
will be using shibboleth with
|
125
|
-
* [generate] generate shibboleth2.xml, shib_apach.conf
|
126
|
-
config files
|
127
|
-
* [a deployment tool or manually] deploy these files out to each host (ideally using a deployment automation tool such as Capistrano)
|
128
|
-
* [metadata] generate metadata: creates and combines SP Metadata from all
|
129
|
-
of the Shib servers into a file(s) you can share with your IDP.
|
130
|
-
* [email] send the generated meta data to your IDP
|
94
|
+
* Then, once verify_metadata is showing all green:
|
95
|
+
|
96
|
+
slh generate_metadata
|
97
|
+
|
98
|
+
which generates a metadata file for each strategy/entity id you have
|
99
|
+
that you can give you your IDP.
|
131
100
|
|
132
101
|
Real World Example
|
133
102
|
==================
|
@@ -160,8 +129,7 @@ files to be, e.g:
|
|
160
129
|
|
161
130
|
Additional Docs
|
162
131
|
===============
|
163
|
-
* doc
|
164
|
-
* doc/for_slh_developers.markdown
|
132
|
+
* See the stuff in /doc in this project
|
165
133
|
|
166
134
|
How to Help
|
167
135
|
======================
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
1.0.
|
1
|
+
1.0.2
|
@@ -5,7 +5,7 @@
|
|
5
5
|
<Logout>SAML2 Local</Logout>
|
6
6
|
|
7
7
|
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
|
8
|
-
<Handler type="Status" Location="/Status"
|
8
|
+
<Handler type="Status" Location="/Status" acl="127.0.0.1"/><!-- NOTE: this acl bit, makes this Shibboleth.sso/Status url only available from the server, not publically, this is an important security feature. -->
|
9
9
|
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
|
10
10
|
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
|
11
11
|
</Sessions>
|
@@ -5,11 +5,11 @@
|
|
5
5
|
|
6
6
|
Gem::Specification.new do |s|
|
7
7
|
s.name = %q{shibboleths_lil_helper}
|
8
|
-
s.version = "1.0.
|
8
|
+
s.version = "1.0.2"
|
9
9
|
|
10
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
11
11
|
s.authors = ["Joe Goggins"]
|
12
|
-
s.date = %q{2011-11-
|
12
|
+
s.date = %q{2011-11-02}
|
13
13
|
s.default_executable = %q{slh}
|
14
14
|
s.description = %q{See the summary text.}
|
15
15
|
s.email = %q{goggins@umn.edu}
|
metadata
CHANGED
@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
|
|
5
5
|
segments:
|
6
6
|
- 1
|
7
7
|
- 0
|
8
|
-
-
|
9
|
-
version: 1.0.
|
8
|
+
- 2
|
9
|
+
version: 1.0.2
|
10
10
|
platform: ruby
|
11
11
|
authors:
|
12
12
|
- Joe Goggins
|
@@ -14,7 +14,7 @@ autorequire:
|
|
14
14
|
bindir: bin
|
15
15
|
cert_chain: []
|
16
16
|
|
17
|
-
date: 2011-11-
|
17
|
+
date: 2011-11-02 00:00:00 -05:00
|
18
18
|
default_executable: slh
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|