Differences

This shows you the differences between two versions of the page.

--- progetti:cloud-areapd:egi_federated_cloud:aai_integration:west-life_sso_integration [2018/04/24 11:52] – [Shibboleth installation] andreett@infn.it
+++ progetti:cloud-areapd:egi_federated_cloud:aai_integration:west-life_sso_integration [2018/04/24 13:18] (current) – andreett@infn.it
@@ Line 1: / Line 1: @@
+====== West-Life SSO Integration ======
+==== Shibboleth installation ====
+Install the required modules
+<code bash>
+wget -O /etc/yum.repos.d/shibboleth.repo http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo
+yum -y install shibboleth
+</code>
+Deploy the service certificate file in ///etc/shibboleth/sp-cert.pem// and the related service key file in ///etc/shibboleth/sp-key.pem//.
+Change the ownership and permissions for those files:
+<code bash>
+chmod 400 /etc/shibboleth/sp-key.pem
+chmod 600 /etc/shibboleth/sp-cert.pem
+chown shibd.shibd /etc/shibboleth/sp-key.pem
+chown shibd.shibd /etc/shibboleth/sp-cert.pem
+</code>
+The file ///etc/shibboleth/shibboleth2.xml// must contain the following definitions:
+<code xml shibboleth2.xml>
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+    <ApplicationDefaults entityID="https://egi-cloud.pd.infn.it/dashboard"
+                         REMOTE_USER="eppn persistent-id targeted-id">
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+            <SSO entityID="https://auth.west-life.eu/proxy/saml2/idp/metadata.php">
+              SAML2 SAML1
+            </SSO>
+            <Logout>SAML2 Local</Logout>
+            <Handler type="MetadataGenerator"
+                     Location="/Metadata"
+                     template="egi-cloud-metadata.xml"
+                     signing="false"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+        <Errors supportContact="root@localhost"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+        <MetadataProvider type="XML"
+            uri="https://auth.west-life.eu/proxy/saml2/idp/metadata.php"
+            backingFilePath="/var/cache/shibboleth/wlife-metadata.xml"
+            reloadInterval="7200"/>
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        <AttributeResolver type="Query" subjectMatch="true"/>
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+</SPConfig>
+</code>
+Create the metadata cache directory
+<code bash>
+mkdir -p /var/cache/shibboleth
+chown shibd.shibd /var/cache/shibboleth
+</code>
+Write the Service Metadata file in /etc/shibboleth/egi-cloud-metadata.xml with the following content:
+<code xml egi-cloud-metadata.xml>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+                     entityID="https://egi-cloud.pd.infn.it/dashboard">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
+    <md:Extensions>
+      <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
+        <mdui:DisplayName xml:lang="en">EGI Fed-Cloud INFN-PD</mdui:DisplayName>
+        <mdui:Description xml:lang="en">The EGI Federated Cloud infrastructure operated by INFN in Padova</mdui:Description>
+        <mdui:InformationURL xml:lang="en">https://goc.egi.eu/portal/index.php?Page_Type=Site&amp;id=1024</mdui:InformationURL>
+      </mdui:UIInfo>
+    </md:Extensions>
+    <md:AttributeConsumingService index="1">
+      <md:ServiceName xml:lang="en">https://egi-cloud.pd.infn.it/dashboard</md:ServiceName>
+      <md:RequestedAttribute FriendlyName="eduPersonPrincipalName"
+                             Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                             isRequired="true"/>
+      <md:RequestedAttribute FriendlyName="mail"
+                             Name="urn:oid:0.9.2342.19200300.100.1.3"
+                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
+                             isRequired="true"/>
+      <md:RequestedAttribute FriendlyName="name"
+                             Name="urn:oid:2.16.840.1.113730.3.1.241"
+                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
+                             isRequired="false"/>
+      <md:RequestedAttribute FriendlyName="entitlement"
+                             Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
+                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
+                             isRequired="false"/>
+    </md:AttributeConsumingService>
+  </md:SPSSODescriptor>
+  <md:Organization>
+    <md:OrganizationName xml:lang="en">INFN</md:OrganizationName>
+    <md:OrganizationDisplayName xml:lang="en">EGI Fed-Cloud INFN-PD</md:OrganizationDisplayName>
+    <md:OrganizationURL xml:lang="en">https://goc.egi.eu/portal/index.php?Page_Type=Site&amp;id=1024</md:OrganizationURL>
+  </md:Organization>
+  <md:ContactPerson contactType="technical">
+    <md:EmailAddress>cloud-support@lists.pd.infn.it</md:EmailAddress>
+  </md:ContactPerson>
+</md:EntityDescriptor>
+</code>
+==== Keystone service’s configuration ====
+In the file /etc/httpd/conf.d/wsgi-keystone.conf declare the following definitions:
+<code>
+<VirtualHost _default_:5000>
+    <Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
+        AuthType shibboleth
+        Require shib-session
+        ShibRequestSetting requireSession 1
+        ShibExportAssertion Off
+    </Location>
+    <Location ~ /v3/OS-FEDERATION/identity_providers/wlifeaai/protocols/mapped/auth>
+        AuthType shibboleth
+        Require shib-session
+        ShibRequestSetting requireSession 1
+        ShibExportAssertion Off
+    </Location>
+</VirtualHost>
+</code>
+Configure the OS-Federation environment:
+<code bash>
+openstack group create wlife_group
+openstack role add --group wlife_group --project wenmr _member_
+openstack identity provider create --remote-id https://auth.west-life.eu/proxy/saml2/idp/metadata.php wlifeaai
+openstack mapping create --rules /tmp/wlife_mapping.json wlife_mapping
+openstack federation protocol create mapped --mapping wlife_mapping --identity-provider wlifeaai
+</code>
+the rule file, /tmp/wlife_mapping.json, contains the following definitions:
+<code>
+[
+    {
+        "local": [
+            {
+                "user": { "name": "{0}" },
+                "group": {
+                    "domain": { "name": "Default" },
+                    "name": "wlife_group"
+                }
+            }
+        ],
+        "remote": [
+            {
+                "type": "eppn"
+            }
+        ]
+    }
+]
+</code>
+In the Keystone configuration file, /etc/keystone/keystone.conf, declare the following definitions:
+<code>
+[auth]
+methods = external,password,token,oauth1,oidc,mapped
+oidc = keystone.auth.plugins.mapped.Mapped
+[oidc]
+remote_id_attribute = HTTP_OIDC_ISS
+[mapped]
+remote_id_attribute = Shib-Identity-Provider
+</code>
+==== Horizon configuration ====
+In the Horizon configuration file, /etc/openstack-dashboard/local_settings, define:
+<code>
+WEBSSO_ENABLED = True
+WEBSSO_INITIAL_CHOICE = "credentials"
+WEBSSO_CHOICES = (
+    ("credentials", _("Keystone Credentials")),
+    ("mapped", _("West-Life SSO")),
+    ("oidc", _("INDIGO-DataCloud IAM"))
+)
+</code>
+Restart all services:
+<code bash>
+systemctl enable shibd && systemctl start shibd
+systemctl restart httpd
+</code>
+==== Register the site to the IdP ====
+Send the [[https://egi-cloud.pd.infn.it/Shibboleth.sso/Metadata|metadata]] of the site to the West-Life Identity Provider, as described in [[http://internal-wiki.west-life.eu/index.php/Enabling_SAML2_for_end_services|West-Life SSO guide]]