Versions Compared

Old Version 2

changes.mady.by.user Mihály Héder

Saved on

compared with

New Version 3

changes.mady.by.user Mihály Héder

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

cat << EOF > /etc/offa/config.yaml
server:
  ip_listen: 127.0.0.1
  port: 15661
logging:
  access:
    dir: /var/log/offa
    stderr: false
  internal:
    dir: /var/log/offa
    level: debug
    stderr: false
    smart:
      enabled: true
sessions:
  ttl: 3600
  cookie_domain: oidfed-appdemo.incubator.geant.org
  cookie_name: offamemcache
  memcached_addr: localhost:11211
  memcached_claims:
        UserName:
            - preferred_username
            - sub
        Groups: groups
        Email: email
        Name: name
        GivenName: given_name
        Provider: iss
        Subject: sub
signing:
  key_storage: /etc/offa/keys
federation:
  entity_id: https://oidfed-appdemo.incubator.geant.org
  trust_anchors:
    - entity_id: https://oidfed-ta-demo.incubator.geant.org
  authority_hints:
    - https://oidfed-ta-demo.incubator.geant.org

8) Startup of OFFA

since we want to run this service independent from our terminal, so that it keep running after we have signed out, we cannot just start it directly.

...

  • put the process in the background and disown it
  • create a systemd service out of the system (see below)

9) memcached

With the offa configuration above, we don't need to configure memcahced, as we rely on the default port of 11211. Moreover, apt will install memcached as a service and start it. Therefore, there is nothing to do, it should work as is.

But it is good to know that the configuration of memcached lives under /etc/memcached.conf
Also, memcached is managed by systemd, so you can manipulate it with systemctl

10) apache configuration

Here is a working configuration for apache. There are several things to note: 

  • the endoints of offa are proxied and reverse proxied, so that these paths are served by offa, while the rest is by the apache web server. 
  • by default, the site is publicly available, so that the landing pages work for unauthenticated users. The path /protected is protected by offa. 
  • the "unauthorized" error (401) page is set to be the login path of offa. This is how the authentication is initiated. By setting the ?next parameter, we can prescribe where the application should return after successful login. Unfortunately, we cannot dynamic valuse here, luckily, it is not needed usually.

<IfModule mod_ssl.c>
<VirtualHost *:443>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    #ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

    <Location />
        Auth_memCookie_CookieName offamemcache
        Auth_memCookie_Memcached_Configuration --SERVER=127.0.0.1:11211

        # to redirect unauthorized user to the login page
        ErrorDocument 401 "/login?next=/protected"

        # to specify if the module are autoritative in this directory
        Auth_memCookie_Authoritative on
        # must be set without that the refuse authentification
        AuthType Cookie
        # must be set (apache mandatory) but not used by the module
        AuthName "OIDFED-AuthMemCookie"
        Require all granted
    </Location>

    #This is where the OIDFed stack is
    #we need to pass through the user, otherwise there is a redirect loop
    <Location "/login">
        Require all granted
    </Location>

    #This is the protected location of the application
    <Location "/protected">
        require valid-user
    </Location>

ProxyPass /.well-known http://localhost:15661/.well-known
ProxyPassReverse /.well-known http://localhost:15661/.well-known

ProxyPass /login http://localhost:15661/login
ProxyPassReverse /login http://localhost:15661/login

ProxyPass /redirect http://localhost:15661/redirect
ProxyPassReverse /redirect http://localhost:15661/redirect

ProxyPass /static http://localhost:15661/static
ProxyPassReverse /static http://localhost:15661/static

ServerName oidfed-appdemo.incubator.geant.org
SSLCertificateFile /etc/letsencrypt/live/oidfed-appdemo.incubator.geant.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/oidfed-appdemo.incubator.geant.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

X) Other considerations

Key materials

...