...
1) set up apache with letsencrypt certificates the same way as seen in offa, steps 1-3. (memcached packeges packages not needed)
2) download and compile lighthouse
...
screen -S lighthouse /opt/lighthouse/bin/lighthouse
Then exit the screen by CTRL-A D.
7) adding leafs with lhcliTBA
In a separate command line shell, add the RP and then the AP.
./lhcli -c /etc/lighthouse/config.yaml subordinates add https://oidfed-appdemo.incubator.geant.org
./lhcli -c /etc/lighthouse/config.yaml subordinates add https://oidfed-op-demo.incubator.geant.org
OP
1) set up apache
apt install apache2
apt install libapache2-mod-php
2) letsencrypt
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot --apache
3) dowload simplesamlphp
In general follow the instructions in the simpleSAMLphp documentation:
Make sure you install all packages needed.
https://simplesamlphp.org/docs/stable/index.html
cd /var
wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v2.4.2/simplesamlphp-2.4.2-full.tar.gz
tar xzf simplesamlphp-2.4.2-full.tar.gz
mv simplesamlphp-2.4.2 simplesamlphp
rm simplesamlphp-2.4.2-full.tar.gz
4) configuration of modules
In simplesamlphp, you need to enable the oidc module. For the sake of this demo, we use the exampleauth module. The core module is necessary, and the SAML and admin modules are required for having an admin web GUI.
config/config.php find the corresponding part and edit so that it reads:
'module.enable' => [
'exampleauth' => true,
'core' => true,
'admin' => true,
'saml' => true,
'oidc' => true,
],
5) configuration of database needed for OIDC client registration
Install mariadb and the necessary php package:
apt install mariadb-server php-mysql
As a good practice, run
mysql_secure_installation
Create a database in the command line (or your preferred client tool).
CREATE DATABASE simplesamlphp CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'simplesamlphp'@'localhost' IDENTIFIED BY '<yourpw>';
GRANT ALL PRIVILEGES ON simplesamlphp.* TO 'simplesamlphp'@'localhost';
FLUSH PRIVILEGES;
Set up the database config in config/config.php
/*
* Database connection string.
* Ensure that you have the required PDO database driver installed
* for your connection string.
*/
'database.dsn' => 'mysql:host=localhost;dbname=simplesaml_oidc',/*
* SQL database credentials
*/
'database.username' => 'simplesaml',
'database.password' => '<yourpasswordhere>',
'database.options' => [],
6) enable an example authorization module
in config/authsources.php
'example-userpass' => [
'exampleauth:UserPass',// Give the user an option to save their username for future login attempts
// And when enabled, what should the default be, to save the username or not
//'remember.username.enabled' => false,
//'remember.username.checked' => false,'users' => [
'student:studentpass' => [
'uid' => ['laura123'],
'eduPersonAffiliation' => ['member', 'student'],
'cn' => ['Laura Erasmus'],
'mail' => ['laura@example.org'],
],
'employee:employeepass' => [
'uid' => ['employee'],
'eduPersonAffiliation' => ['member', 'employee'],
],
],
],
7) configure the openid federation module in
config/module_oidc.php
find the following lines and set the following:
the issuer id:
ModuleConfig::OPTION_ISSUER => 'https://oidfed-op-demo.incubator.geant.org',
authentication source (as set up above)
ModuleConfig::OPTION_AUTH_SOURCE => 'example-userpass',
mapping of a local attribute (uid) to be featured in the sub claim
oduleConfig::OPTION_AUTH_USER_IDENTIFIER_ATTRIBUTE => 'uid',
mapping of some other attributes
ModuleConfig::OPTION_AUTH_SAML_TO_OIDC_TRANSLATE_TABLE => [
'name' => [
'cn',
'displayName',
],'family_name' => [
'sn',
],'given_name' => [
'givenName',
],]
Enabling OpenID Federation,
ModuleConfig::OPTION_FEDERATION_ENABLED => true,
Enable trust anchors:
ModuleConfig::OPTION_FEDERATION_TRUST_ANCHORS => [
'https://oidfed-ta-demo.incubator.geant.org' => null,
],
Enable authority hints
ModuleConfig::OPTION_FEDERATION_AUTHORITY_HINTS => [
'https://oidfed-ta-demo.incubator.geant.org',
],