Versions Compared

Old Version 1

changes.mady.by.user Niels van Dijk

Saved on

compared with

New Version 2

changes.mady.by.user Niels van Dijk

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

The SVS component is based on SaToSa and add InACademia specific components from teh SVS git repository

An ansible script, based on https://github.com/surfnet-niels/simplesaml-idp, is used to handle the configuration inside the docker container.

The overall setup is part of the inacademia-dev repository: https://github.com/surfnet-niels/inacademia-dev/tree/master/ssp-idp

Directory structure

Code Block
├── build_svs.sh
├── config
│   ├── cdb
│   │   ├── cdb.json
│   │   └── cdb.json.example
│   └── production
│       ├── attributemaps
│       │   ├── adfs_v1x.py
│       │   ├── adfs_v20.py
│       │   ├── basic.py
│       │   ├── __init__.py
│       │   ├── saml_uri.py
│       │   └── shibboleth_uri.py
│       ├── backend.xml
│       ├── certs
│       │   ├── saml_metadata_backend.crt
│       │   └── saml_metadata_backend.key
│       ├── dhparams.txt
│       ├── entityids.json
│       ├── idp.xml
│       ├── inAcademia.key -> certs/saml_metadata_backend.key
│       ├── inAcademia.pub -> certs/saml_metadata_backend.crt
│       ├── info.log
│       ├── internal_attributes.yaml
│       ├── metadata.crt -> certs/saml_metadata_backend.crt
│       ├── metadata.key -> certs/saml_metadata_backend.key
│       ├── plugins
│       │   ├── attribute_processor.yaml
│       │   ├── custom_logging.yaml
│       │   ├── inacademia_backend.yaml
│       │   ├── inacademia_frontend.yaml
│       │   └── user_consent.yaml
│       └── proxy_conf.yaml
├── Dockerfile
├── inacademia.conf
├── LICENSE
├── NOTICE
├── README.md
├── rsyslog.conf
├── run_svs.sh
├── start.sh
└── svs-1.0.1-py3-none-any.whl

The Dockerfile is the basis for the docker to be build. The build_svs.sh and run_svs.sh scripts will build and run the docker image respectively. The run_svs.sh script will test if the image exists, and if not, try to build it before running it.

In the config directory 2 subdirectories exist:

  • cdb contains the client database, the RPs that are allowed to connect to InAcademia and which scopes and claims they are allowed to query
  • production contains a set of directiries and files that describe the InAcademia setup.
    • attributemaps configures how SaToSa maps various protocols from and to its internal state. 
    • certs contains the certificates needed for SAML and OIDC (but NOT for https). 
    • plugins contain the InAcademia frontend, backend and microservices needed by SaToSa for InAcademia.
    • backend.xml contains Frontend SAML metadata and gets autogenerated when InAcademia docker starts.
    • entityids.json contains a list of all IdPs that are allowed to use the InAcademia service.
    • idp.xml contains the SAML metadata of the IdPs that connect to InAcademia. In production thi sis typically not used and a MDQ is used instead.
    • for historic reasons teh certificates neede by SatoSa for the SAML endpoint and the OIDC endpoint are named differently. This is resolved by the use of the symlinks inAcademia* and metadata* who all point to the certificates in the certs directory
    • info.log is the InAcademia logfile.


Typically neither of these files need changes for a deploy.
The metadata directory contains the SAML metadata that the IdP needs to be able to talk to the SPs involved, in this case the InAcademia SaToSa based proxy.

Docker file

The docker file is completely self contained, so it will build the IdP based on the condig and by pulling relevant repositories if needed

Code Block
FROM ubuntu:16.04

EXPOSE 443

RUN apt -y update && apt -y full-upgrade && apt -y autoremove && apt install -y sudo dnsutils git software-properties-common
RUN apt-add-repository -y ppa:ansible/ansible && apt install -y ansible

RUN git clone https://github.com/surfnet-niels/simplesaml-idp.git /tmp/ansible/simplesaml-idp
COPY config/ansible/inventory /tmp/ansible/simplesaml-idp/
COPY config/ansible/idp.yml /tmp/ansible/simplesaml-idp/group_vars/

RUN  ansible-playbook -i /tmp/ansible/simplesaml-idp/inventory /tmp/ansible/simplesaml-idp/simplesaml-idp.yml


COPY config/metadata /var/www/simplesamlphp/metadata 

ENTRYPOINT service apache2 start && /bin/bash

Now run the run script to build and run our docker based IdP

Image Added

Using the IdP

Assuming your deploy went withput errors It should now have available trough: https://idp.inacademia.local/ and a login screen should be awaiting you

Image Added

You can login with admin and the default password is "inac2play" as configured in the idp.yml file

To test the IdP itself is working you can now use the test authsources feature of simplesamlphp as is shown in the subsquent screens

Image Added

Image Added

Image Added

Image Added

Use one of the default users to login, e.g. "student1" with password "student1"

Image Added

Success, you now have a working SAML2 IdP.