User Tools

Site Tools


progetti:cloud-areapd:egi_federated_cloud:aai_integration:west-life_sso_integration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
progetti:cloud-areapd:egi_federated_cloud:aai_integration:west-life_sso_integration [2018/04/24 12:05]
andreett@infn.it [Shibboleth installation]
progetti:cloud-areapd:egi_federated_cloud:aai_integration:west-life_sso_integration [2018/04/24 13:18] (current)
andreett@infn.it
Line 1: Line 1:
 +
 +====== West-Life SSO Integration ======
 +
 +==== Shibboleth installation ==== 
 +
 +Install the required modules
 +<code bash>
 +wget -O /etc/yum.repos.d/shibboleth.repo http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo
 +yum -y install shibboleth
 +</code>
 +
 +Deploy the service certificate file in ///etc/shibboleth/sp-cert.pem// and the related service key file in ///etc/shibboleth/sp-key.pem//.
 +Change the ownership and permissions for those files:
 +<code bash>
 +chmod 400 /etc/shibboleth/sp-key.pem
 +chmod 600 /etc/shibboleth/sp-cert.pem
 +chown shibd.shibd /etc/shibboleth/sp-key.pem
 +chown shibd.shibd /etc/shibboleth/sp-cert.pem
 +</code>
 +
 +The file ///etc/shibboleth/shibboleth2.xml// must contain the following definitions:
 +
 +<code xml shibboleth2.xml>
 +<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
 +    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
 +    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 +    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
 +    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 +    clockSkew="180">
 +
 +    <ApplicationDefaults entityID="https://egi-cloud.pd.infn.it/dashboard"
 +                         REMOTE_USER="eppn persistent-id targeted-id">
 +
 +        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
 +                  checkAddress="false" handlerSSL="true" cookieProps="https">
 +
 +            <SSO entityID="https://auth.west-life.eu/proxy/saml2/idp/metadata.php">
 +              SAML2 SAML1
 +            </SSO>
 +
 +            <Logout>SAML2 Local</Logout>
 +            
 +            <Handler type="MetadataGenerator"
 +                     Location="/Metadata"
 +                     template="egi-cloud-metadata.xml"
 +                     signing="false"/>
 +
 +            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
 +
 +            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
 +
 +            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
 +        </Sessions>
 +
 +        <Errors supportContact="root@localhost"
 +            helpLocation="/about.html"
 +            styleSheet="/shibboleth-sp/main.css"/>
 +        
 +        <MetadataProvider type="XML"
 +            uri="https://auth.west-life.eu/proxy/saml2/idp/metadata.php"
 +            backingFilePath="/var/cache/shibboleth/wlife-metadata.xml"
 +            reloadInterval="7200"/>
 +
 +        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
 +
 +        <AttributeResolver type="Query" subjectMatch="true"/>
 +
 +        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
 +
 +        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
 +    </ApplicationDefaults>
 +    
 +    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
 +
 +    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
 +
 +</SPConfig>
 +</code>
 +
 +Create the metadata cache directory
 +<code bash>
 +mkdir -p /var/cache/shibboleth
 +chown shibd.shibd /var/cache/shibboleth
 +</code>
 +
 +Write the Service Metadata file in /etc/shibboleth/egi-cloud-metadata.xml with the following content:
 +<code xml egi-cloud-metadata.xml>
 +<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
 +                     entityID="https://egi-cloud.pd.infn.it/dashboard">
 +
 +  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
 +    
 +    <md:Extensions>
 +      <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
 +        <mdui:DisplayName xml:lang="en">EGI Fed-Cloud INFN-PD</mdui:DisplayName>
 +        <mdui:Description xml:lang="en">The EGI Federated Cloud infrastructure operated by INFN in Padova</mdui:Description>
 +        <mdui:InformationURL xml:lang="en">https://goc.egi.eu/portal/index.php?Page_Type=Site&amp;id=1024</mdui:InformationURL>
 +      </mdui:UIInfo>
 +    </md:Extensions>
 +
 +
 +    <md:AttributeConsumingService index="1">
 +      <md:ServiceName xml:lang="en">https://egi-cloud.pd.infn.it/dashboard</md:ServiceName>
 +      <md:RequestedAttribute FriendlyName="eduPersonPrincipalName"
 +                             Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
 +                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
 +                             isRequired="true"/>
 +      <md:RequestedAttribute FriendlyName="mail"
 +                             Name="urn:oid:0.9.2342.19200300.100.1.3"
 +                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
 +                             isRequired="true"/>
 +      <md:RequestedAttribute FriendlyName="name"
 +                             Name="urn:oid:2.16.840.1.113730.3.1.241"
 +                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
 +                             isRequired="false"/>
 +      <md:RequestedAttribute FriendlyName="entitlement" 
 +                             Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
 +                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
 +                             isRequired="false"/>
 +    </md:AttributeConsumingService>
 +
 +  </md:SPSSODescriptor>
 +
 +  <md:Organization>
 +    <md:OrganizationName xml:lang="en">INFN</md:OrganizationName>
 +    <md:OrganizationDisplayName xml:lang="en">EGI Fed-Cloud INFN-PD</md:OrganizationDisplayName>
 +    <md:OrganizationURL xml:lang="en">https://goc.egi.eu/portal/index.php?Page_Type=Site&amp;id=1024</md:OrganizationURL>
 +  </md:Organization>
 +
 +  <md:ContactPerson contactType="technical">
 +    <md:EmailAddress>cloud-support@lists.pd.infn.it</md:EmailAddress>
 +  </md:ContactPerson>
 +
 +</md:EntityDescriptor>
 +</code>
 +
 +
 +==== Keystone service’s configuration ====
 +
 +In the file /etc/httpd/conf.d/wsgi-keystone.conf declare the following definitions:
 +
 +<code>
 +<VirtualHost _default_:5000>
 +
 +
 +
 +    <Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
 +        AuthType shibboleth
 +        Require shib-session
 +        ShibRequestSetting requireSession 1
 +        ShibExportAssertion Off
 +    </Location>
 +
 +    <Location ~ /v3/OS-FEDERATION/identity_providers/wlifeaai/protocols/mapped/auth>
 +        AuthType shibboleth
 +        Require shib-session
 +        ShibRequestSetting requireSession 1
 +        ShibExportAssertion Off
 +    </Location>
 +
 +
 +
 +</VirtualHost>
 +
 +</code>
 +
 +Configure the OS-Federation environment:
 +<code bash>
 +openstack group create wlife_group
 +openstack role add --group wlife_group --project wenmr _member_
 +openstack identity provider create --remote-id https://auth.west-life.eu/proxy/saml2/idp/metadata.php wlifeaai
 +openstack mapping create --rules /tmp/wlife_mapping.json wlife_mapping
 +openstack federation protocol create mapped --mapping wlife_mapping --identity-provider wlifeaai
 +</code>
 +
 +the rule file, /tmp/wlife_mapping.json, contains the following definitions:
 +<code>
 +[
 +    {
 +        "local": [
 +            {
 +                "user": { "name": "{0}" },
 +                "group": {
 +                    "domain": { "name": "Default" },
 +                    "name": "wlife_group"
 +                }
 +            }
 +        ],
 +        "remote": [
 +            {
 +                "type": "eppn"
 +            }
 +        ]
 +    }
 +]
 +</code>
 +
 +In the Keystone configuration file, /etc/keystone/keystone.conf, declare the following definitions:
 +<code>
 +[auth]
 +methods = external,password,token,oauth1,oidc,mapped
 +oidc = keystone.auth.plugins.mapped.Mapped
 +
 +[oidc]
 +remote_id_attribute = HTTP_OIDC_ISS
 +
 +[mapped]
 +remote_id_attribute = Shib-Identity-Provider
 +</code>
 +
 +==== Horizon configuration ====
 +
 +In the Horizon configuration file, /etc/openstack-dashboard/local_settings, define:
 +<code>
 +WEBSSO_ENABLED = True
 +WEBSSO_INITIAL_CHOICE = "credentials"
 +
 +WEBSSO_CHOICES = (
 +    ("credentials", _("Keystone Credentials")),
 +    ("mapped", _("West-Life SSO")),
 +    ("oidc", _("INDIGO-DataCloud IAM"))
 +)
 +</code>
 +
 +Restart all services:
 +<code bash>
 +systemctl enable shibd && systemctl start shibd
 +systemctl restart httpd
 +</code>
 +
 +==== Register the site to the IdP ====
 +
 +Send the [[https://egi-cloud.pd.infn.it/Shibboleth.sso/Metadata|metadata]] of the site to the West-Life Identity Provider, as described in [[http://internal-wiki.west-life.eu/index.php/Enabling_SAML2_for_end_services|West-Life SSO guide]]
 +