Operational Requirements for Confusa-based portals
Allthough Confusa is not about operations, some aspects of the operational requirements must be propagated into the Confusa code flow.
Attribute Requirements
From the SAML-message, simpleSAMLphp returns the attributes in an associative array. Since the different federations implement some of the various attributes slightly differently, and not all attributes are mandatory, we cannot rely on a single namespace for this. So, to combat this, we have added a way for the NREN Administrator to assign the provided attributes to the required Confusa attributes. The required attributes are also listed, with a short description about intended usage and the consequence when it is unavailable.
The Attributes
The attribute requirements are enforced by Person. It is done by verifying the input in the set functions. Note that Confusa is written with the Grid-Comodo-Terena CP/CPS in mind. Therefore, some of the consequences might be a bit strict in other use-cases. This is nothing we are going to change at the time of this writing.
A unique identifier within the federation and accross all nations
The required attribute for this is eduPersonPrincipalName. This is an absolute requirement and Confusa will refuse to sign any certificates, or do any protected actions for an authenticated user without this attribute. Most likely you will end up in a AuthN-loop where Confusa will redirect the user constantly to the IdP portal for Authentication.
The full name of the user
The preferred attribute at the moment is cn. But other attributes mapping to the name of the user, such as displayName should work as well. The concrete attribute that is going to be used can be configured on NREN and subscriber-level by the respective administrators. This is required as the CP/CPS states that the full name of the user should be in the \CN. The current Confusa version concatenates ePPN and full name together to create a unique \CN which is also human-readable.
Note: we cannot use eduPersonTargetedID as we are required to create a stable namespace, and ePTID will change between instances.
Organization
The organization is used to find the proper maps, administrators etc. It is also added to the \DN of the certificate. The most sensible attributes to use here are eduPersonOrgDN(ePODN)
or schacHomeOrganization. Which attribute is to be used can be configured on the NREN-level and only on the NREN-level. If this attribute could be configured on the subscriber-level as well, it would be impossible for Confusa to infer to which NREN a subscriber-admin belongs. If no attribute is set, Confusa cannot sign certificates.
The email address for the user
The CP/CPS requires us to notify the user about a newly issued certificate through other channels than the currently active (the web interface). We therefore need the email-address to ship a receipt to. The attribute that is used for this can be configured on NREN and subscriber level by the respective admins. A reasonable attribute is mail. If no attribute is set, Confusa cannot sign certificates for the user.
Entitlement
The entitlement is the IdP's way of notifying Confusa that the given user is entitled to certain actions. This is not a required attribute for other users than the administrators. I.e. the IdP can easily remove an administrator. However, we do not want the IdPs to wildly add new administrator, so this attribute is a necessary but not sufficient condition for getting administrator privileges.
If not set, the user cannot be administrator. The attribute is freely configurable on the NREN-level. we have disabled it on the subscriber-level to avoid having subscriber-admins lock themselves and their whole institution out of the portal. However, we recommend usage of the eduPersonEntitlement attribute.
TCS-[eScience|Personal]-Portal
The central TCS eScience portal currently uses the following entitlement attributes:
- urn:mace:terena.org:tcs:escience-user (may request eScience certificates)
- urn:mace:terena.org:tcs:escience-admin (eScience institution administrator)
- urn:mace:terena.org:tcs:personal-user (may request personal certificates)
- urn:mace:terena.org:tcs:personal-admin (personal portal institution administrator)
Attribute summary
|
ePPN |
ePODN |
mail |
Full Name |
entitlement |
enforced |
|---|---|---|---|---|---|---|
Log in |
required |
optional |
optional |
optional |
optional |
yes |
Admin |
required |
required |
optional |
optional |
required |
yes |
Create certificate |
required |
required |
required |
required |
required |
yes |
Revoke certificate (user) |
required |
optional |
optional |
optional |
optional |
yes |
E-Mail certificate |
required |
optional |
required |
optional |
optional |
yes |
The 3 different Attribute Mapping cases
- The subscriber is not yet configured (an attribute map has not been created)
The user will be shown a message on the form "Your NREN has not yet configured the attribute mapping for your organization. - The NREN has created a default-mapping but not a dedicate subscriber mapping
Confusa will try to use the default NREN-mapping for the attributes. In most settings, this will be the appropriate action. - A subscriber-admin has created a dedicated attribute-map for the subscriber
This is given the highest precedence. Confusa will first look for this map. If not found, it will look for the default NREN-map. And finally, if the NREN-map is not found, it will display an error to the user.
The attribute mapping process (NREN)
System Requirements
We try to write distro independent code. However, subtle changes between the GNU/Linux distributions may lead to the occasional bug. Confusa is tested and should work flawlessly on the following distributions:
- Debian (Lenny)
- Ubuntu 9.04 (Jaunty Jackalope)
- Ubuntu 8.10 (Intrepid Ibex)
- CentOS 5.2 (*)
- CentOS 5.4
Have you tried and tested Confusa on another platform? Let us know!
You should also make sure Confusa is running on a hardened, standalone system. This is equally important in standalone- or online-mode. A compromised Confusa instance may cause the attacker to have certificates with arbitrary \DN signed. We have written Confusa with this in mind, and the running instance is hardened (and is being continually updated when we find a potential security hole), but never the less, take care to minimize the attack vectors.
The file INSTALL lists all the requirements with respect to software. Please consult this file before, during and after an install-process, it should always be updated.