...
This picture shows what happens on the VM appdemo
Instructions
appdemo
1) basic packages
First, get the some packages from the repositories
...
- the endoints of offa are proxied and reverse proxied, so that these paths are served by offa, while the rest is by the apache web server.
- by default, the site is publicly available, so that the landing pages work for unauthenticated users. The path /protected is protected by offa.
- the "unauthorized" error (401) page is set to be the login path of offa. This is how the authentication is initiated. By setting the ?next parameter, we can prescribe where the application should return after successful login. Unfortunately, we cannot dynamic valuse here, luckily, it is not needed usually.
Configure apache the following way in the virtualhost file: /etc/apache2/sites-enabled/000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.comServerAdmin webmaster@localhost
DocumentRoot /var/www/html# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warnErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf<Location />
Auth_memCookie_CookieName offamemcache
Auth_memCookie_Memcached_Configuration --SERVER=127.0.0.1:11211# to redirect unauthorized user to the login page
ErrorDocument 401 "/login?next=/protected"# to specify if the module are autoritative in this directory
Auth_memCookie_Authoritative on
# must be set without that the refuse authentification
AuthType Cookie
# must be set (apache mandatory) but not used by the module
AuthName "OIDFED-AuthMemCookie"
Require all granted
</Location>#This is where the OIDFed stack is
#we need to pass through the user, otherwise there is a redirect loop
<Location "/login">
Require all granted
</Location>#This is the protected location of the application
<Location "/protected">
require valid-user
</Location>ProxyPass /.well-known http://localhost:15661/.well-known
ProxyPassReverse /.well-known http://localhost:15661/.well-knownProxyPass /login http://localhost:15661/login
ProxyPassReverse /login http://localhost:15661/loginProxyPass /redirect http://localhost:15661/redirect
ProxyPassReverse /redirect http://localhost:15661/redirectProxyPass /static http://localhost:15661/static
ProxyPassReverse /static http://localhost:15661/staticServerName oidfed-appdemo.incubator.geant.org
SSLCertificateFile /etc/letsencrypt/live/oidfed-appdemo.incubator.geant.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/oidfed-appdemo.incubator.geant.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
...
Running as systemd service
Monitoring
ta-demo - lighthouse trust anchor
1) set up apache with letsencrypt certificates the same way as seen in offa, steps 1-3. (memcached packages not needed)
2) download and compile lighthouse
cp /opt
wget https://github.com/go-oidfed/lighthouse/archive/refs/heads/main.zip
unzip main.zip
mv lighthouse-main/ lighthousecd lighthouse
go mod download
mkdir bin
go build -o bin/lighthouse github.com/go-oidfed/lighthouse/cmd/lighthouse
go build -o bin/lhcli github.com/go-oidfed/lighthouse/cmd/lhcli
3) create working folders
mkdir -p /opt/lighthouse/data
mkdir -p /var/log/lighthouse
4) configure lighthouse
cat << EOF > /etc/lighthouse/config.yaml
server:
port: 7672
logging:
access:
dir: /var/log/lighthouse
stderr: false
internal:
dir: /var/log/lighthouse
stderr: false
level: info
smart:
enabled: true
storage:
backend: json
data_dir: /opt/lighthouse/data
signing:
key_dir: /etc/lighthouse/keys
endpoints:
fetch:
path: /fetch
statement_lifetime: 3600
list:
path: /list
federation_data:
entity_id: https://oidfed-appdemo.incubator.geant.org/trust-anchor
federation_entity_metadata:
display_name: OIDFED-APPDEMO Trust Anchor
description: "A trust anchor in the GN5-2 TI Incubator"
EOF
5) enable the proxying in the virtualhost file
Add the following lines in the virtualhost file /etc/apache2/sites-enabled/000-default-le-ssl.conf anywhere within the virtualhost
ProxyPass /.well-known http://localhost:7672/.well-known
ProxyPassReverse /.well-known http://localhost:7672/.well-knownProxyPass /fetch http://localhost:7672/fetch
ProxyPassReverse /fetch http://localhost:7672/fetchProxyPass /list http://localhost:7672/list
ProxyPassReverse /list http://localhost:7672/list
6) startup
We need to start the process in a detached way (see note at offa in the previous section).
screen -S lighthouse /opt/lighthouse/bin/lighthouse
Then exit the screen by CTRL-A D.
7) adding leafs with lhcli
In a separate command line shell, add the RP and then the AP.
./lhcli -c /etc/lighthouse/config.yaml subordinates add https://oidfed-appdemo.incubator.geant.org
./lhcli -c /etc/lighthouse/config.yaml subordinates add https://oidfed-op-demo.incubator.geant.org
OP
1) set up apache
apt install apache2
apt install libapache2-mod-php
2) letsencrypt
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot --apache
3) dowload simplesamlphp
In general follow the instructions in the simpleSAMLphp documentation:
Make sure you install all packages needed.
https://simplesamlphp.org/docs/stable/index.html
cd /var
wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v2.4.2/simplesamlphp-2.4.2-full.tar.gz
tar xzf simplesamlphp-2.4.2-full.tar.gz
mv simplesamlphp-2.4.2 simplesamlphp
rm simplesamlphp-2.4.2-full.tar.gz
4) configuration of modules
In simplesamlphp, you need to enable the oidc module. For the sake of this demo, we use the exampleauth module. The core module is necessary, and the SAML and admin modules are required for having an admin web GUI.
config/config.php find the corresponding part and edit so that it reads:
'module.enable' => [
'exampleauth' => true,
'core' => true,
'admin' => true,
'saml' => true,
'oidc' => true,
],
5) configuration of database needed for OIDC client registration
Install mariadb and the necessary php package:
apt install mariadb-server php-mysql
As a good practice, run
mysql_secure_installation
Create a database in the command line (or your preferred client tool).
CREATE DATABASE simplesamlphp CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'simplesamlphp'@'localhost' IDENTIFIED BY '<yourpw>';
GRANT ALL PRIVILEGES ON simplesamlphp.* TO 'simplesamlphp'@'localhost';
FLUSH PRIVILEGES;
Set up the database config in config/config.php
/*
* Database connection string.
* Ensure that you have the required PDO database driver installed
* for your connection string.
*/
'database.dsn' => 'mysql:host=localhost;dbname=simplesaml_oidc',/*
* SQL database credentials
*/
'database.username' => 'simplesaml',
'database.password' => '<yourpasswordhere>',
'database.options' => [],
6) enable an example authorization module
in config/authsources.php
'example-userpass' => [
'exampleauth:UserPass',// Give the user an option to save their username for future login attempts
// And when enabled, what should the default be, to save the username or not
//'remember.username.enabled' => false,
//'remember.username.checked' => false,'users' => [
'student:studentpass' => [
'uid' => ['laura123'],
'eduPersonAffiliation' => ['member', 'student'],
'cn' => ['Laura Erasmus'],
'mail' => ['laura@example.org'],
],
'employee:employeepass' => [
'uid' => ['employee'],
'eduPersonAffiliation' => ['member', 'employee'],
],
],
],
7) configure the openid federation module in
config/module_oidc.php
find the following lines and set the following:
the issuer id:
ModuleConfig::OPTION_ISSUER => 'https://oidfed-op-demo.incubator.geant.org',
authentication source (as set up above)
ModuleConfig::OPTION_AUTH_SOURCE => 'example-userpass',
mapping of a local attribute (uid) to be featured in the sub claim
oduleConfig::OPTION_AUTH_USER_IDENTIFIER_ATTRIBUTE => 'uid',
mapping of some other attributes
ModuleConfig::OPTION_AUTH_SAML_TO_OIDC_TRANSLATE_TABLE => [
'name' => [
'cn',
'displayName',
],'family_name' => [
'sn',
],'given_name' => [
'givenName',
],]
Enabling OpenID Federation,
ModuleConfig::OPTION_FEDERATION_ENABLED => true,
Enable trust anchors:
ModuleConfig::OPTION_FEDERATION_TRUST_ANCHORS => [
'https://oidfed-ta-demo.incubator.geant.org' => null,
],
Enable authority hints
ModuleConfig::OPTION_FEDERATION_AUTHORITY_HINTS => [
'https://oidfed-ta-demo.incubator.geant.org',
],