You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

ONGOING WORK

Installation using the installation script

The installation script is available at https://github.com/geteduroam/letswifi-portal/blob/main/contrib/install/install-letswifi-portal.sh . The script sets up a portal at the web address (DNS entry) that you provide, with which you obtain certificates from one CA and for a specific realm, which you specify. Additionally, the script copies the metadata from the link but if automatic refresh is needed, you need to set this up later. At the end of the installation process, you get a link to find the SAML SP metadata to register with your federation. In the firewall you need to open the ports TCP/80 and TCP/443 . In order to check that everything is OK at this point, please use the command

curl -sSk --resolve DOMAIN:443:127.0.0.1 https://DOMAIN; echo

You should see an output like {"href":"./","http://letswifi.app/api#2": if the webserver is running OK internally. You should also be able to reach your server with a browser. Next, try to check the metadata with https://YOUR-ADDRESS/simplesamlphp/module.php/saml/sp/metadata.php/default-sp?output=xhtml. At this point, please obtain and install a server certificate for your web server. The configuration file is named letswifi-portal.conf.

At this point you may find out that the SimpleSAMLphp version that your OS comes with is too old. Please download a new one and install it.  Copy the apache.conf of the newly installed SimpleSAMLphp to the /config - directory and take it into use at /etc/apache2/conf-available with

ln -sf /NEW-SIMPLESAMLPHP/config/apache.conf /etc/apache2/conf-available/simplesamlphp.conf

In config.php you may need to change 'baseurlpath' from 'simplesaml/' to 'simplesamlphp/'. In /usr/share/letswifi-portal/etc/letswifi.conf.php the 'autoloadInclude' needs to be changed to point to the correct SimpleSAMLphp version. Do a web server restart.

Next, connect your SimpleSAMLphp to your federation. More extensive guidelines can be found here and here. In case you need certificates for signing and encryption, you can generate them with:

openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml-geteduroam.crt -keyout saml-geteduroam.key

In /etc/simplesamlphp/authsources.php, under ’default-sp’, please insert the following


'certificate' => '/PATH/TO/saml-geteduroam.crt',
'privatekey' => '/PATH/TO/saml-geteduroam.key',
'redirect.sign' => true,
'redirect.validate' => true,


You should see the changes in https://YOUR-ADDRESS/simplesamlphp/module.php/saml/sp/metadata.php/default-sp?output=xhtml. If needed, enable automatic metadata refresh, extensive guidelines can be found here. In the module section of /SIMPLESAMLPHP/config/config.php you need

'module.enable' => [
         'cron' => true,
         'metarefresh' => true,
         'core' => true,
         'saml' => true
 ],

instead of 'exampleauth'.

Please copy the necessary templates with

cp modules/cron/config-templates/*.php /etc/simplesamlphp/
cp modules/metarefresh/config-templates/*.php /etc/simplesamlphp/

From /modules/metarefresh/bin you can test with 

./metarefresh.php -s https://PATH/TO/your-metadata.xml

Please go through the config-metarefresh file and change it to match your federation requirements. The actual update is controlled by cron.  Set the key in module_cron.php and the 'auth.adminpassword' in config.php. In the same file, the 'technicalcontact_email' needs to be updated. Next, make sure that www-data has access to the metadata folder. You can update the metadata with HTTP or CLI, with HTTP you need something like this in /etc/corn.d/

20 0 * * * www-data curl --silent "https://YOUR-ADDRESS/simplesamlphp/module.php/cron/cron.php?key=YOUR-KEY&tag=daily" > /dev/null 2>&1

Next, your need to create a CAT profile for your users. With this done, you should now be able to log in with your federation ID from the geteduroam app and generate certificates and .eap-config files. Keep in mind that even though the portal includes a version check, you may encounter a OpenSSL-PHP mismatch, in which case the PKCS12 is encoded with the wrong algorithm and the profile installation fails. The php version number can be set in src/fyrkat/openssl/pkcs.12. A functioning .eap-config file has the PKCS 7 encrypted data as pbeWithSHA1And40BitRC2-CBC, Iteration 2048.




   

  • No labels