shibboleths_lil_helper 1.0.8 → 1.0.9
Sign up to get free protection for your applications and to get access to all the features.
- data/LICENSE.txt +1 -1
- data/README.markdown +94 -93
- data/TODOS.txt +6 -0
- data/VERSION +1 -1
- data/lib/slh/cli.rb +5 -5
- data/lib/slh/cli/generate.rb +1 -1
- data/lib/slh/cli/generate_metadata.rb +0 -23
- data/lib/slh/models/site.rb +3 -2
- data/lib/slh/templates/config.rb.erb +85 -72
- data/lib/slh/templates/shib_apache.conf.erb +15 -3
- data/shibboleths_lil_helper.gemspec +9 -12
- metadata +58 -40
- data/lib/slh/templates/sp_metadata_for_host_to_give_to_idp.xml.erb +0 -33
data/LICENSE.txt
CHANGED
data/README.markdown
CHANGED
@@ -2,45 +2,30 @@ About
|
|
2
2
|
=====
|
3
3
|
Shibboleth's Lil Helper (slh) is a tool that automates the generation of Apache/IIS Shibboleth Native Service Provider configuration & metadata files. It provides several benefits over manually configuring each NativeSp instance/server by:
|
4
4
|
|
5
|
-
* __Providing a consistent configuration approach__ applied uniformly across all servers in your organization.
|
5
|
+
* __Providing a consistent configuration approach__ applied uniformly across all servers in your organization via one easy-to-read config file describing shib config across X web servers (IIS and Apache), Y sites, and Z directory paths.
|
6
6
|
|
7
|
-
* __Providing conceptually simple linear process__ that distills the main steps associated with Shibboleth integration.
|
8
|
-
|
9
|
-
|
7
|
+
* __Providing conceptually simple linear process__ that distills the main steps associated with Shibboleth integration.
|
8
|
+
1. initialize a config.rb file
|
9
|
+
2. edit slh config.rb file
|
10
|
+
3. generate shib2.xml (and deploy to web server hosts)
|
11
|
+
4. verify sp metadata correctness
|
12
|
+
5. generate metadata
|
13
|
+
6. send metadata to idp
|
14
|
+
7. verify all is well
|
10
15
|
|
11
16
|
* __Dividing high level auth specs from actual NativeSp configuration__
|
12
17
|
* Programmers can focus on high level goals like "protect files underneath the '/secure' directory on 'somewebsite.com'" rather than grappeling with the bewildering complexity of the NativeSp's interrelated XML files, the Shibboleth protocal, SAML, etc.
|
13
18
|
|
14
|
-
Staying up-to-date
|
15
|
-
------------------
|
16
|
-
__This code is under active development__.
|
17
|
-
|
18
|
-
* Create a Github issue to report problems you might be having with the
|
19
|
-
tool.
|
20
|
-
* See CHANGLOG.markdown for the changes associated with each gem release
|
21
|
-
* See TODOS.markdown for changes that we're thinking about
|
22
|
-
incorporating. Send me (Joe) a message on Github (joegoggins) or email
|
23
|
-
if you have other things you are thinking of.
|
24
|
-
* Use `gem update shibboleths_lil_helper` to get the most current version.
|
25
|
-
|
26
|
-
Why another tool?
|
27
|
-
-----------------
|
28
|
-
We needed something that could help manage shibboleth SP
|
29
|
-
configuration consistently with minimal manual work for:
|
30
|
-
|
31
|
-
* Many web servers
|
32
|
-
* each running iis6, iis7, or Apache 2.2
|
33
|
-
* each hosting many vhosts (aka sites)
|
34
|
-
* each running PHP, Rails 2 + 3, classic ASP, or .NET
|
35
|
-
* each running the Apache/IIS Native Service Provider
|
36
19
|
|
37
20
|
Assumptions
|
38
21
|
-----------
|
39
|
-
* __shibboleth-2.4.3 is installed on your target hosts__.
|
40
|
-
work too, but have not been tested.
|
41
|
-
* Each host integrates with a single Identity Provider, not multiple.
|
22
|
+
* __shibboleth-2.4.3 is installed on your target hosts__.
|
23
|
+
Versions greater than this should work too, but have not been tested.
|
24
|
+
* Each web server host integrates with a single Identity Provider, not multiple.
|
25
|
+
* All sites on a particular web server host use the same Service
|
26
|
+
Provider Entity ID.
|
42
27
|
* (for Apache) The Shibboleth apache module is loaded globally for all
|
43
|
-
vHosts. (This doesn't mean that it requires auth globally--just available).
|
28
|
+
vHosts. (This doesn't mean that it requires auth globally--just available, see lib/slh/templates/shib_apache.conf.erb for what this looks like).
|
44
29
|
|
45
30
|
Installation
|
46
31
|
------------
|
@@ -53,19 +38,21 @@ Installation
|
|
53
38
|
* Then type `slh` -- this provides more detailed/actionable
|
54
39
|
documentation
|
55
40
|
|
56
|
-
* Via Git: (
|
41
|
+
* Via Git: (for developers/contributors)
|
57
42
|
* this is how developers/contributors should install the tool
|
58
|
-
* `git clone ...git://
|
43
|
+
* `git clone ...git://thisrepo_or_a_fork... slh`
|
59
44
|
* `cd slh`
|
60
45
|
* `bundle install`
|
61
46
|
* then add a symlink to bin/slh (something like below)
|
62
|
-
* `ln -s bin/slh ~/
|
63
|
-
*
|
64
|
-
|
47
|
+
* `ln -s bin/slh ~/slh_local`
|
48
|
+
* run commands on your test config.rb with `slh_local generate` or
|
49
|
+
`slh_local generate_metadata`, etc
|
65
50
|
|
66
51
|
* Install notes:
|
67
52
|
* Tool requires nokogiri gem which in-turn requires libxml2, you may
|
68
53
|
run into difficulties there: See http://nokogiri.org/tutorials/installing_nokogiri.html if you have problems.
|
54
|
+
* Doesn't work w JRuby, probably all versions, 1.6.7 confirmed to not
|
55
|
+
work.
|
69
56
|
|
70
57
|
Before using this tool
|
71
58
|
----------------------
|
@@ -100,68 +87,90 @@ requirement, slh will help you with this later too)
|
|
100
87
|
A simple convention is to have a dev entity for "development" or "staging" apps and one for production stuff.
|
101
88
|
You might consider https://YOUR_ORG.umn.edu/shibboleth/dev_default or https://YOUR_ORG.umn.edu/shibboleth/prod_default
|
102
89
|
|
103
|
-
|
104
|
-
|
105
|
-
-------
|
90
|
+
Usage
|
91
|
+
-----
|
106
92
|
|
107
93
|
All configuration and authentication specs for all Shibboleth SP instances are specified in a single ruby parseable `shibboleths_lil_helper/config.rb` file. From these specs, slh is capable of generating all of the required XML files you will need to integrate with a Shibboleth Identify Provider (Idp). The following breaks down the essential steps.
|
108
94
|
|
109
|
-
|
110
|
-
### Initialization
|
111
|
-
It all starts with
|
95
|
+
### 1. __Initialize a config.rb file__
|
112
96
|
|
113
97
|
mkdir shibboleth_deployer
|
114
98
|
cd shibboleth_deployer
|
115
99
|
slh initialize
|
116
100
|
|
117
|
-
This creates a config file with example code you'll need to change to work.
|
101
|
+
This creates a config file with example code you'll need to change to work.
|
118
102
|
|
119
|
-
###
|
120
|
-
|
103
|
+
### 2. edit `shibboleths_lil_helper/config.rb`
|
104
|
+
The generated config.rb contains instructions and examples of valid
|
105
|
+
configuration options to set your:
|
106
|
+
* sp_entity_id
|
107
|
+
* idp_metadata_url : the URL (NOT the idp entity ID) for you IDP's metadata
|
108
|
+
* strategies, hosts, sites, and paths to protect
|
121
109
|
|
122
|
-
|
123
|
-
|
124
|
-
* hosts, sites, and paths to protect for each for each site
|
125
|
-
|
126
|
-
From here you type:
|
110
|
+
### 3. Generate shibboleth2.xml and deploy to web server hosts
|
111
|
+
In the directory one up from "shibboleths_lil_helper" (in this case shibboleth_deployer), type
|
127
112
|
|
128
113
|
slh generate
|
129
114
|
|
130
|
-
This creates:
|
115
|
+
This creates files for each web server host:
|
131
116
|
|
132
117
|
* shibboleth2.xml
|
133
|
-
* idp_metadata.xml
|
118
|
+
* idp_metadata.xml (this is simply a copy of the IDP metadata at :idp_metadata_url
|
134
119
|
* shib_apache.conf (if using apache)
|
135
120
|
|
136
|
-
|
121
|
+
shibboleth2.xml contains a <RequestMap> and other goo needed to integrate with an Shib IDP to reflect the sites and paths your want protected.
|
122
|
+
|
123
|
+
You must deploy these files to each host and restart the shib
|
124
|
+
daeman/service and apache/IIS.
|
125
|
+
|
126
|
+
You must also arbitrarily __pick one particular site__ in each strategy to `set :is_key_originator,true` for, if you see this more in a strategy, it will NOT WORK. (also, don't set it to false, just remove the line in all but one site)
|
127
|
+
|
128
|
+
`set :is_key_originator, true` tells slh that this site has the authoriative X509Certificate (in the SP metadata) that all other sites should match against (used in the verify_metadata command).
|
129
|
+
|
130
|
+
It implies that each host in your strategy has the same sp-key.pem and sp-cert.pem files as the host where the "is_key_originator" site lives.
|
131
|
+
|
132
|
+
It also implies that, when you setup a new web server host: copy the sp-key and sp-cert files from this "is_key_originator" host to the new host.
|
137
133
|
|
138
|
-
|
134
|
+
### 4. Verify SP metadata correctness
|
135
|
+
Once you've deployed you shibboleth2.xml, idp_metadata.xml, shib_apache,
|
136
|
+
and sp-key, and sp-cert to all hosts, you can
|
139
137
|
|
140
|
-
|
141
|
-
Verify your metadata data across all hosts:
|
138
|
+
Verify your metadata data across all hosts with:
|
142
139
|
|
143
140
|
slh verify_metadata
|
144
141
|
|
145
|
-
|
146
|
-
|
142
|
+
This command will provide useful output and instructions to get your SP
|
143
|
+
metadat setup correctly.
|
147
144
|
|
148
|
-
|
149
|
-
|
145
|
+
This command and generate_metadata rely on URLs like `somesite.com/Shibboleth.sso/Metadata`
|
146
|
+
|
147
|
+
being publically available. If this command is erroring out, its likely
|
148
|
+
due to the fact that one or more sites does not expose this URL (and
|
149
|
+
likely requires a change to shibboleth2.xml, i.e. tweak config.rb, `slh generate`, and redeploy to server).
|
150
|
+
|
151
|
+
|
152
|
+
### 5. Generate SP metadata
|
153
|
+
If verify_metadata is not showing any errors, you can proceed to
|
150
154
|
|
151
155
|
slh generate_metadata
|
152
156
|
|
153
|
-
which generates
|
154
|
-
|
157
|
+
which generates an SP metadata file for each SP entity id in in a file
|
158
|
+
like:
|
159
|
+
|
160
|
+
shibboleths_lil_helper/generated/<STRATEGY_NAME>/<STRATEGY_NAME>_sp_metadata_for_idp.xml
|
155
161
|
|
156
|
-
|
157
|
-
|
162
|
+
__This SP Metadata file MUST BE INSTALLED on the IDP to proceed!!!__
|
163
|
+
Typically this is done by emailing the file to your identity management
|
164
|
+
team
|
158
165
|
|
159
|
-
|
166
|
+
### 6. Send SP metadata to IDP folks
|
167
|
+
Send the <STRATEGY_NAME>_sp_metadata_for_idp.xml to your IDP folks.
|
160
168
|
|
161
|
-
|
169
|
+
### 7. Verify all is well
|
170
|
+
Hit somesite.com/Shibboleth.sso/Login and be happily prompted for login.
|
162
171
|
|
163
172
|
|
164
|
-
Deployment automation
|
173
|
+
Deployment automation (on Unix/Apache)
|
165
174
|
---------------------
|
166
175
|
Once you have the basic stuff working, you may want to automate
|
167
176
|
deployment:
|
@@ -177,6 +186,8 @@ target hosts run SSH (aka default not-IIS setup)
|
|
177
186
|
|
178
187
|
deployment automation example
|
179
188
|
-----------------------------
|
189
|
+
__Only works on Unix/Apache__
|
190
|
+
|
180
191
|
We have a private repo called shibboleth\_deployer that includes the shibboleths\_lil\_helper generated config files and uses Capistrano to push these files out target servers and restarts shibd and httpd. It's usage looks like:
|
181
192
|
|
182
193
|
cap deploy HOST=asr-web-dev4.oit.umn.edu
|
@@ -204,36 +215,26 @@ from the /etc/httpd/conf.d dir
|
|
204
215
|
|
205
216
|
ln -s /etc/shibboleth_deployer/current/shibboleths_lil_helper/generated/apache_shib_test_server/asr-web-dev4.oit.umn.edu/shib_apache.conf shib_apache.conf
|
206
217
|
|
207
|
-
|
208
|
-
|
209
|
-
|
210
|
-
|
211
|
-
* Improve the documentation! The whole purpose of this tool is to
|
212
|
-
provide a straight-forward path to setting up a Shibboleth SP.
|
218
|
+
Staying up-to-date
|
219
|
+
------------------
|
220
|
+
__This code is under active development__.
|
213
221
|
|
214
|
-
|
215
|
-
|
216
|
-
|
222
|
+
* Use `gem update shibboleths_lil_helper` to get the most current version.
|
223
|
+
* See CHANGLOG.markdown for the changes associated with each gem
|
224
|
+
release.
|
217
225
|
|
218
|
-
|
219
|
-
|
220
|
-
|
226
|
+
How to help/contribute
|
227
|
+
-----------
|
228
|
+
* To suggest enhancements or changes let us know via Github Issues (preferred) or email.
|
221
229
|
|
222
|
-
|
223
|
-
------------
|
224
|
-
* Joe Goggins, Academic Support Resources, goggins@umn.edu
|
225
|
-
* Chris Dinger, Academic Support Resources, ding0057@umn.edu
|
230
|
+
* To share your experience, tricks, nuances, gotchas, and perspectives, please see and add to the [Github Wiki](https://github.com/umn-asr/shibboleths_lil_helper/wiki).
|
226
231
|
|
227
|
-
|
228
|
-
----------------
|
229
|
-
Thanks to these folks for providing feedback and willingness to pilot
|
230
|
-
the tool.
|
232
|
+
* To add features or fix stuff yourself: fork, implement, issue a pull request.
|
231
233
|
|
232
|
-
*
|
233
|
-
* Debbie Gillespie, Computer Science and Engineering
|
234
|
-
* Eva Young, Office of Institional Compliance
|
235
|
-
* Josh Buysse, CLA Office of Information Technology
|
236
|
-
* Aaron Zirbes, Environmental Health Sciences
|
237
|
-
* Rex Wheeler, University of Minnesota Extension
|
234
|
+
* To show your support financially you can [donate a couple bucks to this project here](http://pledgie.com/campaigns/17458).
|
238
235
|
|
239
|
-
|
236
|
+
Author
|
237
|
+
------
|
238
|
+
* Joe Goggins, Academic Support Resources, goggins@umn.edu
|
239
|
+
|
240
|
+
Copyright (c) 2012 Regents of the University of Minnesota
|
data/TODOS.txt
CHANGED
@@ -4,6 +4,12 @@ TODOS
|
|
4
4
|
will be expected to snag the X509Data and put it into the config somehow.
|
5
5
|
|
6
6
|
DONE
|
7
|
+
* Make note that JRuby does not work w SLH.
|
8
|
+
* Tweak shib_apache.conf template
|
9
|
+
Include ref to https://spaces.internet2.edu/display/SHIB2/NativeSPApacheConfig in shib_apache.conf
|
10
|
+
Include
|
11
|
+
ShibConfig /swadm/etc/shibboleth/shibboleth2.xml
|
12
|
+
"Specific requirements are make" to "are made"
|
7
13
|
* Move the set :site_id to the correct area in the config.rb.erb
|
8
14
|
* Added note in readme: Broke because of libxml2 lacking http://nokogiri.org/tutorials/installing_nokogiri.html
|
9
15
|
* after slh generate, tell the user exactly where they should put the files.
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
1.0.
|
1
|
+
1.0.9
|
data/lib/slh/cli.rb
CHANGED
@@ -20,7 +20,7 @@ module Slh
|
|
20
20
|
|
21
21
|
This is Shibboleth's Lil Helper.
|
22
22
|
He'll help you create consistent
|
23
|
-
___,@ config XML for your Shibboleth-Native
|
23
|
+
___,@ config XML for your Shibboleth-Native
|
24
24
|
/ < Service-Provider servers (Apache or IIS)
|
25
25
|
,_ / \ _, without pulling your hair out in frustration.
|
26
26
|
? \`/______\`/
|
@@ -81,10 +81,10 @@ OPTIONAL COMMANDS
|
|
81
81
|
Summarizes the configuration described in shibboleths_lil_helper/config.rb
|
82
82
|
|
83
83
|
OTHER DOCUMENTATION SOURCES (not just this tool)
|
84
|
-
https://
|
85
|
-
|
86
|
-
|
87
|
-
There are
|
84
|
+
* The official page of this tool: https://github.com/umn-asr/shibboleths_lil_helper/
|
85
|
+
* The official Shibboleth Wiki: https://wiki.shibboleth.net/
|
86
|
+
* Doc within this project--(the doc folder)
|
87
|
+
There are some short little developer oriented tips that could be useful
|
88
88
|
|
89
89
|
EOS
|
90
90
|
end
|
data/lib/slh/cli/generate.rb
CHANGED
@@ -28,6 +28,6 @@ class Slh::Cli::Generate < Slh::Cli::HostFilterableBase
|
|
28
28
|
Slh::Cli.instance.output " This makes the X509Certificate stuff in all metadata for all sites associated with an entity_id match"
|
29
29
|
end
|
30
30
|
|
31
|
-
Slh::Cli.instance.output "You MUST deploy these files your web servers and restart httpd and shibd for subsequent commands to work", :highlight => true
|
31
|
+
Slh::Cli.instance.output "You MUST deploy these files your web servers and restart httpd/IIS and shibd/Shibboleth Service for subsequent commands to work", :highlight => true
|
32
32
|
end
|
33
33
|
end
|
@@ -1,27 +1,4 @@
|
|
1
1
|
class Slh::Cli::GenerateMetadata < Slh::Cli::HostFilterableBase
|
2
|
-
|
3
|
-
# def perform_action
|
4
|
-
# Slh.strategies.each do |strategy|
|
5
|
-
# strategy.hosts.each do |host|
|
6
|
-
# next if @options[:filter].kind_of?(String) && !host.name.match(@options[:filter])
|
7
|
-
# host_dir = strategy.config_dir_for_host(host)
|
8
|
-
# file_path = 'sp_metadata_for_host_to_give_to_idp.xml'
|
9
|
-
# @strategy = strategy
|
10
|
-
# @host = host
|
11
|
-
# # Global config shared across vhosts like the X509Certificate
|
12
|
-
# # uses the first site arbirarily
|
13
|
-
# @first_site_for_host = @host.sites.first
|
14
|
-
# Slh::Cli.instance.output "Generating metadata for #{host.name}"
|
15
|
-
# the_written_file = "sp_metadata_for_#{host.name.gsub(/[^a-zA-Z0-9\-_\.]/,'_')}.xml"
|
16
|
-
# the_written_path = File.join(host_dir, the_written_file)
|
17
|
-
# File.open(the_written_path,'w') do |f|
|
18
|
-
# f.write(ERB.new(strategy.config_template_content(file_path)).result(binding))
|
19
|
-
# Slh::Cli.instance.output "Wrote file to #{the_written_path}"
|
20
|
-
# end
|
21
|
-
# end
|
22
|
-
# end
|
23
|
-
# end
|
24
|
-
|
25
2
|
def perform_action
|
26
3
|
template_rel_file_path ='sp_metadata_for_entity_id_to_give_to_idp.xml'
|
27
4
|
Slh.strategies.each do |strategy|
|
data/lib/slh/models/site.rb
CHANGED
@@ -67,8 +67,9 @@ class Slh::Models::Site < Slh::Models::Base
|
|
67
67
|
"#{self.to_https_prefixed_name}/Shibboleth.sso/Metadata"
|
68
68
|
end
|
69
69
|
|
70
|
-
# Gets interpolated into the
|
71
|
-
# file
|
70
|
+
# Gets interpolated into the
|
71
|
+
# sp_metadata_for_entity_id_to_give_to_idp.xml.erb # file
|
72
|
+
#
|
72
73
|
def x509_certificate_string
|
73
74
|
t=self.metadata_nokogiri.clone
|
74
75
|
t.remove_namespaces!
|
@@ -1,30 +1,23 @@
|
|
1
|
-
#
|
1
|
+
# About
|
2
2
|
# =====
|
3
3
|
# This file is the basis for your shibboleth config for
|
4
4
|
# all entities, hosts, sites, and url paths you want to protect for your organization.
|
5
5
|
#
|
6
6
|
# All slh commands utilize this file to do its thing.
|
7
7
|
#
|
8
|
-
# To
|
9
|
-
#
|
10
|
-
# * run slh generate
|
11
|
-
# * deploy the files our to your server to the appropriate place
|
12
|
-
# * fight with your server to get somesite.com/Shibboleth.sso/Metadata spitting out XML
|
13
|
-
# for each host
|
8
|
+
# To run slh commands you need to be in the directory above
|
9
|
+
# shibboleths_lil_helper/config.rb, aka
|
14
10
|
#
|
15
|
-
#
|
16
|
-
#
|
17
|
-
#
|
18
|
-
#
|
19
|
-
#
|
20
|
-
#
|
21
|
-
# * give the metadata to your IDP folks
|
11
|
+
# shibboleth_deployer/
|
12
|
+
# <YOU NEED TO BE IN THIS DIRECTORY>
|
13
|
+
# shibboleths_lil_helper/
|
14
|
+
# <NOT THIS ONE>
|
15
|
+
# generated/
|
16
|
+
# config.rb
|
22
17
|
#
|
23
|
-
#
|
24
|
-
#
|
25
|
-
#
|
26
|
-
#
|
27
|
-
# A strategy
|
18
|
+
# Data Model
|
19
|
+
# ==========
|
20
|
+
# A strategy (you can think of this as a container to hold all config associated with an SP Entity ID)
|
28
21
|
# has one entity
|
29
22
|
# has a metadata url
|
30
23
|
# has many hosts
|
@@ -32,68 +25,88 @@
|
|
32
25
|
# a site has many protected paths
|
33
26
|
# a protected path can require auth, optionally use auth, or restrict to a
|
34
27
|
# particular set of users
|
28
|
+
# Usage
|
29
|
+
# =====
|
30
|
+
# * fill in the REQUIRED items and change stuff that is in ALL CAPS
|
31
|
+
# * follow the instructions at https://github.com/umn-asr/shibboleths_lil_helper
|
35
32
|
#
|
36
33
|
Slh.for_strategy :test_idp do
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
set :
|
34
|
+
# REQUIRED, https://yourorg.umn.edu/shibboleth/default
|
35
|
+
set :sp_entity_id, 'YOUR_ENTITY_ID'
|
36
|
+
# REQUIRED, https://idp-test.shib.umn.edu/metadata.xml
|
37
|
+
set :idp_metadata_url, 'YOUR_IDP_METADATA_URL'
|
38
|
+
# OPTIONAL
|
39
|
+
set :error_support_contact, 'YOUR_ERROR_SUPPORT_EMAIL_ADDRESS'
|
41
40
|
|
41
|
+
# REQUIRED
|
42
42
|
# Can be either
|
43
|
-
#
|
44
|
-
#
|
45
|
-
#
|
46
|
-
|
43
|
+
# for_apache_host
|
44
|
+
# or
|
45
|
+
# for_iis_host
|
46
|
+
# SOMEHOSTNAME.COM does not matter externally and might have the same
|
47
|
+
# name as a site underneath it. Most of the times the actual hostname of a
|
48
|
+
# server is different than the sites that live on it
|
49
|
+
#
|
50
|
+
for_apache_host 'SOMEHOSTNAME.COM' do
|
51
|
+
# OPTIONAL
|
47
52
|
# uncomment if your shib stuff lives in a non-standard location
|
48
|
-
# set :shib_prefix, '/swadm/etc/shibboleth'
|
49
|
-
|
53
|
+
# set :shib_prefix, '/swadm/etc/shibboleth'
|
50
54
|
#
|
51
|
-
#
|
52
|
-
|
53
|
-
|
55
|
+
# REQUIRED
|
56
|
+
# replace with the site of your server
|
57
|
+
for_site 'SOMESITENAME1.COM' do
|
58
|
+
# REQUIRED if this site is underneath a "for_iis_host" block
|
54
59
|
# uncomment if and fill-in if you are using IIS
|
55
|
-
# set :site_id, "
|
56
|
-
#
|
60
|
+
# set :site_id, "YOU_MUST_SET_THE_SITE_ID_HERE_IF_ON_IIS"
|
57
61
|
#
|
58
|
-
#
|
59
|
-
#
|
62
|
+
# REQUIRED
|
63
|
+
# Each strategy must set this for exactly one site.
|
64
|
+
# Its used as the authoritative source to from which all other
|
60
65
|
# sites metadata's X509Certificate should match
|
61
66
|
# the sp-key.pem and sp-cert.pem files from this host should be
|
62
67
|
# copied to all other hosts underneath the strategy
|
63
|
-
set :is_key_originator, true
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
#
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
#
|
94
|
-
#
|
95
|
-
#
|
68
|
+
set :is_key_originator, true
|
69
|
+
|
70
|
+
# REQUIRED for each path you want to protect (or "/" if the entire site)
|
71
|
+
# You should have at least one of these for each site, but can have many
|
72
|
+
# There are three "flavors" of protection
|
73
|
+
# authentication_required: Web-server will force login for any path underneath it
|
74
|
+
# i.e.
|
75
|
+
# protect '/' do
|
76
|
+
# set :flavor, :authentication_required
|
77
|
+
# end
|
78
|
+
#
|
79
|
+
# authentication_optional: Makes it possible for
|
80
|
+
# the app layer to redirect to Shibboleth.sso/Login
|
81
|
+
# Use this when you want the app/site (rather than the web-server)
|
82
|
+
# to be in control of authentication
|
83
|
+
# i.e.
|
84
|
+
# protect 'lazy_auth' do
|
85
|
+
# set :flavor, :authentication_optional
|
86
|
+
# end
|
87
|
+
#
|
88
|
+
# authentication_required_for_specific_users: Require auth and restrict to
|
89
|
+
# a particular set of users (not-tested extensively)
|
90
|
+
# i.e.
|
91
|
+
# protect 'specific_users' do
|
92
|
+
# set :flavor, :authentication_required_for_specific_users
|
93
|
+
# set :specific_users, %w(SOMEUSER@SOME.DOMAIN.COM ANOTHERUSER@SOME.DOMAIN.COM)
|
94
|
+
# end
|
95
|
+
#
|
96
|
+
protect '/' do
|
97
|
+
set :flavor, :authentication_optional
|
98
|
+
end # ... for each protected dir for this site ...
|
99
|
+
end # ... for each site on this host ...
|
100
|
+
end # ... for each host within this strategy (using this entity_id)
|
101
|
+
end # ... for each strategy/aka entity_id ...
|
102
|
+
|
103
|
+
# OPTIONAL
|
104
|
+
# Uncomment these 3 lines if you want to create a new strategy that is identical
|
105
|
+
# an existing one but integrates against a different IDP. The third param here
|
106
|
+
# should be the URL where the IDP metadata lives (NOT THE IDP ENTITY ID).
|
96
107
|
#
|
97
|
-
#
|
98
|
-
#
|
99
|
-
#
|
108
|
+
# This creates a new strategy from an existing one who's only difference is the idp_metadata.xml
|
109
|
+
# comes from THE_PRODUCTION_IDP_METADATA_URL rather than the one specified in the strategy you are cloning from (the first param)
|
110
|
+
# Slh.clone_strategy_for_new_idp :test_idp, # The name of the strategy you are cloning from
|
111
|
+
# :production_idp, # the name of the strategy you are cloning to
|
112
|
+
# 'THE_PRODUCTION_IDP_METADATA_URL' # the url where the production idp metadata lives
|
@@ -1,7 +1,18 @@
|
|
1
|
-
|
1
|
+
##########################################
|
2
|
+
# Shibboleth Apache Global configuration #
|
3
|
+
##########################################
|
4
|
+
# * See https://spaces.internet2.edu/display/SHIB2/NativeSPApacheConfig
|
5
|
+
# For details on the switches that can be flipped in the mod_shib module
|
6
|
+
#
|
7
|
+
|
8
|
+
|
9
|
+
# This is required to be on for Native SP.
|
2
10
|
UseCanonicalName On
|
3
11
|
|
4
|
-
<%
|
12
|
+
<% if @host.shib_prefix.nil? %>
|
13
|
+
# Note: Intentionally not specifying ShibConfig '/some/crazy/path', assumed to be default
|
14
|
+
<% else %>
|
15
|
+
# Specifying a non-standard config file location
|
5
16
|
ShibConfig <%= File.join(@host.shib_prefix, 'shibboleth2.xml') %>
|
6
17
|
<% end %>
|
7
18
|
|
@@ -17,7 +28,8 @@ LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_22.so
|
|
17
28
|
|
18
29
|
# Enable shibboleth for all vhosts, does NOT require auth anywhere
|
19
30
|
# just makes it possible.
|
20
|
-
# Specific auth requirements are
|
31
|
+
# Specific auth requirements are made in the <RequestMap> in shibboleth2.xml
|
32
|
+
# rather than in apache conf files
|
21
33
|
<Location />
|
22
34
|
AuthType shibboleth
|
23
35
|
Require shibboleth
|
@@ -4,15 +4,14 @@
|
|
4
4
|
# -*- encoding: utf-8 -*-
|
5
5
|
|
6
6
|
Gem::Specification.new do |s|
|
7
|
-
s.name =
|
8
|
-
s.version = "1.0.
|
7
|
+
s.name = "shibboleths_lil_helper"
|
8
|
+
s.version = "1.0.9"
|
9
9
|
|
10
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
11
11
|
s.authors = ["Joe Goggins"]
|
12
|
-
s.date =
|
13
|
-
s.
|
14
|
-
s.
|
15
|
-
s.email = %q{goggins@umn.edu}
|
12
|
+
s.date = "2012-05-24"
|
13
|
+
s.description = "See the summary text."
|
14
|
+
s.email = "goggins@umn.edu"
|
16
15
|
s.executables = ["slh"]
|
17
16
|
s.extra_rdoc_files = [
|
18
17
|
"LICENSE.txt",
|
@@ -60,7 +59,6 @@ Gem::Specification.new do |s|
|
|
60
59
|
"lib/slh/templates/shib_apache.conf.erb",
|
61
60
|
"lib/slh/templates/shibboleth2.xml.erb",
|
62
61
|
"lib/slh/templates/sp_metadata_for_entity_id_to_give_to_idp.xml.erb",
|
63
|
-
"lib/slh/templates/sp_metadata_for_host_to_give_to_idp.xml.erb",
|
64
62
|
"shibboleths_lil_helper.gemspec",
|
65
63
|
"test/fixtures/dummy1.rb",
|
66
64
|
"test/fixtures/dummy1_output/attribute-map.xml",
|
@@ -69,17 +67,16 @@ Gem::Specification.new do |s|
|
|
69
67
|
"test/helper.rb",
|
70
68
|
"test/test_shibboleths_lil_helper.rb"
|
71
69
|
]
|
72
|
-
s.homepage =
|
70
|
+
s.homepage = "http://github.com/umn-asr/shibboleths_lil_helper"
|
73
71
|
s.licenses = ["MIT"]
|
74
72
|
s.require_paths = ["lib"]
|
75
|
-
s.rubygems_version =
|
76
|
-
s.summary =
|
73
|
+
s.rubygems_version = "1.8.10"
|
74
|
+
s.summary = "A ruby gem to streamline the setup, deployment, and ongoing management of Apache & IIS web-servers running the Shibboleth Native Service Provider implementations."
|
77
75
|
|
78
76
|
if s.respond_to? :specification_version then
|
79
|
-
current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
|
80
77
|
s.specification_version = 3
|
81
78
|
|
82
|
-
if Gem::Version.new(Gem::
|
79
|
+
if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
|
83
80
|
s.add_runtime_dependency(%q<activesupport>, [">= 3.0.9"])
|
84
81
|
s.add_runtime_dependency(%q<nokogiri>, [">= 0"])
|
85
82
|
s.add_runtime_dependency(%q<i18n>, [">= 0"])
|
metadata
CHANGED
@@ -1,12 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: shibboleths_lil_helper
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
|
4
|
+
hash: 5
|
5
|
+
prerelease:
|
5
6
|
segments:
|
6
7
|
- 1
|
7
8
|
- 0
|
8
|
-
-
|
9
|
-
version: 1.0.
|
9
|
+
- 9
|
10
|
+
version: 1.0.9
|
10
11
|
platform: ruby
|
11
12
|
authors:
|
12
13
|
- Joe Goggins
|
@@ -14,111 +15,126 @@ autorequire:
|
|
14
15
|
bindir: bin
|
15
16
|
cert_chain: []
|
16
17
|
|
17
|
-
date:
|
18
|
-
default_executable: slh
|
18
|
+
date: 2012-05-24 00:00:00 Z
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|
21
|
-
|
21
|
+
type: :runtime
|
22
|
+
prerelease: false
|
23
|
+
requirement: &id001 !ruby/object:Gem::Requirement
|
24
|
+
none: false
|
22
25
|
requirements:
|
23
26
|
- - ">="
|
24
27
|
- !ruby/object:Gem::Version
|
28
|
+
hash: 21
|
25
29
|
segments:
|
26
30
|
- 3
|
27
31
|
- 0
|
28
32
|
- 9
|
29
33
|
version: 3.0.9
|
30
|
-
|
31
|
-
prerelease: false
|
34
|
+
version_requirements: *id001
|
32
35
|
name: activesupport
|
33
|
-
type: :runtime
|
34
36
|
- !ruby/object:Gem::Dependency
|
35
|
-
|
37
|
+
type: :runtime
|
38
|
+
prerelease: false
|
39
|
+
requirement: &id002 !ruby/object:Gem::Requirement
|
40
|
+
none: false
|
36
41
|
requirements:
|
37
42
|
- - ">="
|
38
43
|
- !ruby/object:Gem::Version
|
44
|
+
hash: 3
|
39
45
|
segments:
|
40
46
|
- 0
|
41
47
|
version: "0"
|
42
|
-
|
43
|
-
prerelease: false
|
48
|
+
version_requirements: *id002
|
44
49
|
name: nokogiri
|
45
|
-
type: :runtime
|
46
50
|
- !ruby/object:Gem::Dependency
|
47
|
-
|
51
|
+
type: :runtime
|
52
|
+
prerelease: false
|
53
|
+
requirement: &id003 !ruby/object:Gem::Requirement
|
54
|
+
none: false
|
48
55
|
requirements:
|
49
56
|
- - ">="
|
50
57
|
- !ruby/object:Gem::Version
|
58
|
+
hash: 3
|
51
59
|
segments:
|
52
60
|
- 0
|
53
61
|
version: "0"
|
54
|
-
|
55
|
-
prerelease: false
|
62
|
+
version_requirements: *id003
|
56
63
|
name: i18n
|
57
|
-
type: :runtime
|
58
64
|
- !ruby/object:Gem::Dependency
|
59
|
-
|
65
|
+
type: :development
|
66
|
+
prerelease: false
|
67
|
+
requirement: &id004 !ruby/object:Gem::Requirement
|
68
|
+
none: false
|
60
69
|
requirements:
|
61
70
|
- - ">="
|
62
71
|
- !ruby/object:Gem::Version
|
72
|
+
hash: 3
|
63
73
|
segments:
|
64
74
|
- 0
|
65
75
|
version: "0"
|
66
|
-
|
67
|
-
prerelease: false
|
76
|
+
version_requirements: *id004
|
68
77
|
name: shoulda
|
69
|
-
type: :development
|
70
78
|
- !ruby/object:Gem::Dependency
|
71
|
-
|
79
|
+
type: :development
|
80
|
+
prerelease: false
|
81
|
+
requirement: &id005 !ruby/object:Gem::Requirement
|
82
|
+
none: false
|
72
83
|
requirements:
|
73
84
|
- - ~>
|
74
85
|
- !ruby/object:Gem::Version
|
86
|
+
hash: 23
|
75
87
|
segments:
|
76
88
|
- 1
|
77
89
|
- 0
|
78
90
|
- 0
|
79
91
|
version: 1.0.0
|
80
|
-
|
81
|
-
prerelease: false
|
92
|
+
version_requirements: *id005
|
82
93
|
name: bundler
|
83
|
-
type: :development
|
84
94
|
- !ruby/object:Gem::Dependency
|
85
|
-
|
95
|
+
type: :development
|
96
|
+
prerelease: false
|
97
|
+
requirement: &id006 !ruby/object:Gem::Requirement
|
98
|
+
none: false
|
86
99
|
requirements:
|
87
100
|
- - ~>
|
88
101
|
- !ruby/object:Gem::Version
|
102
|
+
hash: 7
|
89
103
|
segments:
|
90
104
|
- 1
|
91
105
|
- 6
|
92
106
|
- 4
|
93
107
|
version: 1.6.4
|
94
|
-
|
95
|
-
prerelease: false
|
108
|
+
version_requirements: *id006
|
96
109
|
name: jeweler
|
97
|
-
type: :development
|
98
110
|
- !ruby/object:Gem::Dependency
|
99
|
-
|
111
|
+
type: :development
|
112
|
+
prerelease: false
|
113
|
+
requirement: &id007 !ruby/object:Gem::Requirement
|
114
|
+
none: false
|
100
115
|
requirements:
|
101
116
|
- - ">="
|
102
117
|
- !ruby/object:Gem::Version
|
118
|
+
hash: 3
|
103
119
|
segments:
|
104
120
|
- 0
|
105
121
|
version: "0"
|
106
|
-
|
107
|
-
prerelease: false
|
122
|
+
version_requirements: *id007
|
108
123
|
name: rcov
|
109
|
-
type: :development
|
110
124
|
- !ruby/object:Gem::Dependency
|
111
|
-
|
125
|
+
type: :development
|
126
|
+
prerelease: false
|
127
|
+
requirement: &id008 !ruby/object:Gem::Requirement
|
128
|
+
none: false
|
112
129
|
requirements:
|
113
130
|
- - ">="
|
114
131
|
- !ruby/object:Gem::Version
|
132
|
+
hash: 3
|
115
133
|
segments:
|
116
134
|
- 0
|
117
135
|
version: "0"
|
118
|
-
|
119
|
-
prerelease: false
|
136
|
+
version_requirements: *id008
|
120
137
|
name: ruby-debug
|
121
|
-
type: :development
|
122
138
|
description: See the summary text.
|
123
139
|
email: goggins@umn.edu
|
124
140
|
executables:
|
@@ -170,7 +186,6 @@ files:
|
|
170
186
|
- lib/slh/templates/shib_apache.conf.erb
|
171
187
|
- lib/slh/templates/shibboleth2.xml.erb
|
172
188
|
- lib/slh/templates/sp_metadata_for_entity_id_to_give_to_idp.xml.erb
|
173
|
-
- lib/slh/templates/sp_metadata_for_host_to_give_to_idp.xml.erb
|
174
189
|
- shibboleths_lil_helper.gemspec
|
175
190
|
- test/fixtures/dummy1.rb
|
176
191
|
- test/fixtures/dummy1_output/attribute-map.xml
|
@@ -178,7 +193,6 @@ files:
|
|
178
193
|
- test/fixtures/dummy1_output/shibboleth2.xml
|
179
194
|
- test/helper.rb
|
180
195
|
- test/test_shibboleths_lil_helper.rb
|
181
|
-
has_rdoc: true
|
182
196
|
homepage: http://github.com/umn-asr/shibboleths_lil_helper
|
183
197
|
licenses:
|
184
198
|
- MIT
|
@@ -188,23 +202,27 @@ rdoc_options: []
|
|
188
202
|
require_paths:
|
189
203
|
- lib
|
190
204
|
required_ruby_version: !ruby/object:Gem::Requirement
|
205
|
+
none: false
|
191
206
|
requirements:
|
192
207
|
- - ">="
|
193
208
|
- !ruby/object:Gem::Version
|
209
|
+
hash: 3
|
194
210
|
segments:
|
195
211
|
- 0
|
196
212
|
version: "0"
|
197
213
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
214
|
+
none: false
|
198
215
|
requirements:
|
199
216
|
- - ">="
|
200
217
|
- !ruby/object:Gem::Version
|
218
|
+
hash: 3
|
201
219
|
segments:
|
202
220
|
- 0
|
203
221
|
version: "0"
|
204
222
|
requirements: []
|
205
223
|
|
206
224
|
rubyforge_project:
|
207
|
-
rubygems_version: 1.
|
225
|
+
rubygems_version: 1.8.10
|
208
226
|
signing_key:
|
209
227
|
specification_version: 3
|
210
228
|
summary: A ruby gem to streamline the setup, deployment, and ongoing management of Apache & IIS web-servers running the Shibboleth Native Service Provider implementations.
|
@@ -1,33 +0,0 @@
|
|
1
|
-
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="<%= Slh::Models::Version::VERSION %>" entityID="<%= @strategy.sp_entity_id %>">
|
2
|
-
|
3
|
-
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
|
4
|
-
<md:Extensions>
|
5
|
-
<% @host.sites.each do |site| %>
|
6
|
-
<init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/Login"/>
|
7
|
-
<% end %>
|
8
|
-
</md:Extensions>
|
9
|
-
<md:KeyDescriptor>
|
10
|
-
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
11
|
-
<ds:KeyName><%= @host.name %></ds:KeyName>
|
12
|
-
<ds:X509Data>
|
13
|
-
<ds:X509SubjectName>CN=<%= @host.name %></ds:X509SubjectName>
|
14
|
-
<ds:X509Certificate><%= @first_site_for_host.x509_certificate_string %></ds:X509Certificate>
|
15
|
-
</ds:X509Data>
|
16
|
-
</ds:KeyInfo>
|
17
|
-
</md:KeyDescriptor>
|
18
|
-
|
19
|
-
<% @host.sites.each do |site| %>
|
20
|
-
<!-- BEGIN <%= site.name %> -->
|
21
|
-
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/Artifact/SOAP" index="0"/>
|
22
|
-
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML2/POST" index="0"/>
|
23
|
-
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML2/POST-SimpleSign" index="1"/>
|
24
|
-
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML2/Artifact" index="2"/>
|
25
|
-
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML2/ECP" index="3"/>
|
26
|
-
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML/POST" index="4"/>
|
27
|
-
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="<%= site.to_https_prefixed_name %>/Shibboleth.sso/SAML/Artifact" index="5"/>
|
28
|
-
<!-- END <%= site.name %> -->
|
29
|
-
<% end %>
|
30
|
-
</md:SPSSODescriptor>
|
31
|
-
</md:EntityDescriptor>
|
32
|
-
|
33
|
-
|