dariaphoebe / mech_saml_ec Goto Github PK

This is an open source implementation of https://tools.ietf.org/html/draft-ietf-kitten-sasl-saml-ec.

View and report issues at: https://github.com/jbasney/mech_saml_ec/issues

Discuss at: https://groups.google.com/d/forum/saml-ec-gssapi-dev

-------------------------------------

Installing required RPMs:

(Instructions taken from 
http://www.project-moonshot.org/devwiki/ConfiguringRHEL/)

(Do we need to use Moonshot RPMs? See fedushare#2).

(1) Install EPEL:

# sudo rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm
# sudo yum install epel-release

(2) If using SELinux, set it to permissive:

# sudo echo 0 > /selinux/enforce

(3) Create a new file /etc/yum.repos.d/moonshot.repo:

# sudo echo \
'[Moonshot]
name=Moonshot
baseurl=http://yum.dev.ja.net/RPMS/x86_64/
enabled=1
gpgcheck=0

[Moonshot-source]
name=Moonshot Source
baseurl=http://yum.dev.ja.net/SRPM/
enabled=0
gpgcheck=0' \
> /etc/yum.repos.d/moonshot.repo

(4) Install Moonshot RPMs with "yum":

# sudo yum -y install \
    shibboleth \
    shibboleth-devel \
    libxerces-c-3_1 \
    libxerces-c-devel \
    libsaml7 \
    libsaml-devel \
    opensaml-schemas \
    liblog4shib1 \
    liblog4shib-devel \
    libxml-security-c16 \
    libxml-security-c-devel \
    libshibresolver1 \
    libshibresolver-devel \
    libxmltooling5 \
    libxmltooling-devel \
    xmltooling-schemas \
    libevent \
    libxml2-devel \
    libtool \
    gcc gcc-c++

(5) If you are running RHEL6 (may also apply to CentOS6), you may encounter a
warning about libcurl which causes the library to segfault. This is due to
Red Hat using Netscape Security Services stack (NSS) instead of OpenSSL for
the curl libraries. See the following for more information:

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRH6

-------------------------------------

Configuration:

The library depends on correct configuration of the Shibboleth Service
Provider (SP) software. In particular, you need to choose an entityID for
your SP, create metadata for the SP (which is needed by any Identity Provider
(IdP) you use), and configure a few files in /etc/shibboleth/.  In
particular, you need to modify the following files.

(1) /etc/shibboleth/shibboleth2.xml 
This is the mail Shibboleth SP configuration file. You should be able to use
the provided shibboleth2.xml.dist file as a starting point. You must set the
following sections:
  (a) <ApplicationDefaults entityID="https://your.org/shibboleth"
                     REMOTE_USER="persistent-id targeted-id eppn"
                     signing="true">
      The entityID is set to your chosen entityID and must match the entityID
      in the metadata for the SP. "signing" must be set to true so that SAML
      messages passed between the server and client are signed.
  (b) <MetadataProvider ...>
      You must have at least one MetadataProvider section so the library
      can verify the IdP used to authenticate the user. 

(2) /etc/shibboleth/attribute-map.xml
In order to get a local user name for the authenticated user, you must map
one attribute released by the IdP to "local-login-user". This actually
requires two steps:
  (a) The IdP must be configured to release an attribute to your SP's
      entityID.  It's not critical WHICH attribute is released, as long as
      the IdP and SP agree. For this discussion, let's say the IdP has
      released "givenName" (urn:oid:2.5.4.42).
  (b) On the SP side, map this attribute to "local-login-user" by adding the
      following to attribute-map.xml:
      <Attribute name="urn:oid:2.5.4.42" id="local-login-user"/>

-------------------------------------

Building The Code:

# ./autogen.sh
# ./configure --with-opensaml=/opt/moonshot/ --with-shibresolver=/opt/moonshot/ --with-shibsp=/opt/moonshot/
# make

-------------------------------------

Testing Library with MIT GSS example programs:

1. Start Server as follows. In one window, run:

# ./testserver.sh

   - OR -

# cd gss-sample
# export LD_LIBRARY_PATH=/opt/moonshot/lib64
# ./gss-server -port 3490 test


2. Invoke client as follows. In a second window, run:

# ./testclient.sh <username> <password>

   - OR -

# cd gss-sample
# export LD_LIBRARY_PATH=/opt/moonshot/lib64
# export SAML_EC_IDP='https://boingo.ncsa.uiuc.edu/idp/profile/SAML2/SOAP/ECP'    # Use your IdP's ECP endpoint
# ./gss-client -nw -nx -nm -port 3490 -user <username> -pass <password> -mech "{ 1 3 6 1 4 1 11591 4 6 }" localhost test testmessage