idp cluster setup

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

idp cluster setup

Jacquet, Frederic

Hello

 

I am reading the wiki for idp cluster setup and ask myself  if terracotta 2.7.3 was still mandatory.

Could I replace this by jboss cluster ?

 

Thanks in advance

fred

 

 


Frederic Jacquet- Unix Administrator
Tel: +41 21 618 02 31

IMD
Ch. de Bellerive 23, P.O. Box 915
CH - 1001 Lausanne, Switzerland
www.imd.ch








 

Reply | Threaded
Open this post in threaded view
|

Ezproxy config for local IDP

tsmori
I've looked over as many example configurations as I can find, but there's a point in each of them that boils down to "send this information to your IDP provider". Well, what if I am the IDP provider?

I'm trying to set up a local authentication system using a database lookup and it works, but getting it integrated with ezproxy isn't too clear.

The documentation on the  ezproxy site has a number of required parameters.

There's an EZProxyEntityID, so I have this set to my ezproxy server, e.g. https://myhost.domain.edu:2433/
The file for the metadata, which I edited to include the entityID  is in the ezproxy install directory.

The major issue I'm having is that ezproxy doesn't appear to know where to obtain the SSO service. The documentation states to use your IDPEntityID, which I have tried, https://myhost.domain.edu/idp/shibboleth, and variations.

Each time ezproxy reports the following error:

2009-06-10 15:57:17 Unable to locate SSO Location for https://myhost.domain.edu/idp/Shibboleth/SSO 
2009-06-10 15:57:17 Shibboleth IDP20 entity not found: https://shibdev.lib.ncsu.edu/idp/Shibboleth/SSO 

Another part of the documentation has to do with the  Assertion Consumer Service URLs that are created by EZproxy. There seems to be something you need to do with these and then recreate a metadata file for EZproxy, but I can't find any thing about this.

If anyone has any ideas, I'd appreciate hearing them.

Thanks,


Timothy S. Mori
Systems Librarian for Enterprise Operations
IT Department
North Carolina State University Libraries
Campus Box 7111
Raleigh, NC 27695-7111



Reply | Threaded
Open this post in threaded view
|

RE: Ezproxy config for local IDP

Cantor, Scott E.
Timothy Mori wrote on 2009-06-10:
> I've looked over as many example configurations as I can find, but there's
a
> point in each of them that boils down to "send this information to your
IDP
> provider". Well, what if I am the IDP provider?

That doesn't change the statement. For this to work, you have to exchange
SAML metadata. If you don't know what that entails, you'd have to look at
examples and/or read specs because that's all we have at the moment.

> The documentation on the  ezproxy site has a number of required
parameters.
>
> There's an EZProxyEntityID, so I have this set to my ezproxy server,
> e.g. https://myhost.domain.edu:2433/ The file for the metadata, which I
> edited to include the entityID  is in the ezproxy install directory.

Stylistically, that's not a great ID to use, but ultimately it doesn't
matter. I suggest you read this, though:

https://spaces.internet2.edu/display/SHIB2/EntityNaming

> The major issue I'm having is that ezproxy doesn't appear to know where
> to obtain the SSO service.
> Each time ezproxy reports the following error:
>
> 2009-06-10 15:57:17 Unable to locate SSO Location for
> https://myhost.domain.edu/idp/Shibboleth/SSO 2009-06-10 15:57:17
> Shibboleth IDP20 entity not found:
> https://shibdev.lib.ncsu.edu/idp/Shibboleth/SSO

Presumably you failed to give it your IdP's metadata. Beyond that, its
documentation needs to describe how to supply it with metadata, or the
decomposed equivalent if it doesn't support the metadata spec in some
fashion.

> Another part of the documentation has to do with the  Assertion Consumer
> Service URLs that are created by EZproxy. There seems to be something you
> need to do with these and then recreate a metadata file for EZproxy, but I
> can't find any thing about this.

That's part of what's in the SP's metadata (in this case Ezproxy) and that's
what you have to supply to the IdP to prevent failures at that end.

-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: Ezproxy config for local IDP

tsmori
Scott,

Thanks for the info. In what has become an annoying trend, I figured this out about 10 minutes after sending this message.  I must have been misinterpreting the documentation with respect to the metadata files.

I acquired my IdP metadata and referenced that in the EZProxy configuration and then it started working.  My only point about being the IdP provider is that there's very little documentation on how to configure the IdP side of things. I had to add relying party information and configure the ezproxy metadata, but this was kind of a shot in the dark.

I'll check out the info on entity naming as well. Most examples seem to have a registered name.

Tim



>>> "Scott Cantor" <[hidden email]> 6/10/2009 7:12 PM >>>
Timothy Mori wrote on 2009-06-10:
> I've looked over as many example configurations as I can find, but there's
a
> point in each of them that boils down to "send this information to your
IDP
> provider". Well, what if I am the IDP provider?

That doesn't change the statement. For this to work, you have to exchange
SAML metadata. If you don't know what that entails, you'd have to look at
examples and/or read specs because that's all we have at the moment.

> The documentation on the  ezproxy site has a number of required
parameters.
>
> There's an EZProxyEntityID, so I have this set to my ezproxy server,
> e.g. https://myhost.domain.edu:2433/ The file for the metadata, which I
> edited to include the entityID  is in the ezproxy install directory.

Stylistically, that's not a great ID to use, but ultimately it doesn't
matter. I suggest you read this, though:

https://spaces.internet2.edu/display/SHIB2/EntityNaming 

> The major issue I'm having is that ezproxy doesn't appear to know where
> to obtain the SSO service.
> Each time ezproxy reports the following error:
>
> 2009-06-10 15:57:17 Unable to locate SSO Location for
> https://myhost.domain.edu/idp/Shibboleth/SSO 2009-06-10 15:57:17
> Shibboleth IDP20 entity not found:
> https://shibdev.lib.ncsu.edu/idp/Shibboleth/SSO 

Presumably you failed to give it your IdP's metadata. Beyond that, its
documentation needs to describe how to supply it with metadata, or the
decomposed equivalent if it doesn't support the metadata spec in some
fashion.

> Another part of the documentation has to do with the  Assertion Consumer
> Service URLs that are created by EZproxy. There seems to be something you
> need to do with these and then recreate a metadata file for EZproxy, but I
> can't find any thing about this.

That's part of what's in the SP's metadata (in this case Ezproxy) and that's
what you have to supply to the IdP to prevent failures at that end.

-- Scott



Reply | Threaded
Open this post in threaded view
|

RE: Ezproxy config for local IDP

Cantor, Scott E.
Timothy Mori wrote on 2009-06-11:
> I acquired my IdP metadata and referenced that in the EZProxy
configuration
> and then it started working.  My only point about being the IdP provider
is
> that there's very little documentation on how to configure the IdP side of
> things. I had to add relying party information and configure the ezproxy
> metadata, but this was kind of a shot in the dark.

I wouldn't expect EZProxy to document that part, but if they don't have any
examples of metadata to use, or how to come up with the metadata for it,
that would leave you without much to go on apart from
https://spaces.internet2.edu/display/SHIB2/IdPRelyingParty

Note that in general, what you add is metadata. That's it. People seem to be
constantly adding RelyingParty definitions to the IdP and that's rarely if
ever required.

-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: Ezproxy config for local IDP

tsmori
Scott,

Thanks again. I think I went down the relying party path because one of the first error messages I saw, either in the browser or in the idp-process.log indicated a problem with relying party information. However, at the same time I added the relying party block, I added the metadata block, and since it worked, I assumed I needed both.

After removing the relying party info, I see it all still works. I'm trying to document this as I go along, so hopefully I can get someone at OCLC to include this side of things, even if only for informational purposes.

Tim


>>> "Scott Cantor" <[hidden email]> 6/11/2009 10:41 AM >>>
Timothy Mori wrote on 2009-06-11:
> I acquired my IdP metadata and referenced that in the EZProxy
configuration
> and then it started working.  My only point about being the IdP provider
is
> that there's very little documentation on how to configure the IdP side of
> things. I had to add relying party information and configure the ezproxy
> metadata, but this was kind of a shot in the dark.

I wouldn't expect EZProxy to document that part, but if they don't have any
examples of metadata to use, or how to come up with the metadata for it,
that would leave you without much to go on apart from
https://spaces.internet2.edu/display/SHIB2/IdPRelyingParty 

Note that in general, what you add is metadata. That's it. People seem to be
constantly adding RelyingParty definitions to the IdP and that's rarely if
ever required.

-- Scott



Reply | Threaded
Open this post in threaded view
|

Re: Ezproxy config for local IDP

Michael J. Wheeler-2
Tim,

I would be very interested in some documentation on how you made it all
work. At some point (hopefully soon), we are going to switch EZProxy from
using LDAP Authentication to using Shib with our local IdP.

--
Michael J. Wheeler
Assistant Director, Systems and Networking
Pittsburg State University
Phone:  620-235-4610
E-mail: [hidden email]


Timothy Mori wrote:

> Scott,
>
> Thanks again. I think I went down the relying party path because one of the first error messages I saw, either in the browser or in the idp-process.log indicated a problem with relying party information. However, at the same time I added the relying party block, I added the metadata block, and since it worked, I assumed I needed both.
>
> After removing the relying party info, I see it all still works. I'm trying to document this as I go along, so hopefully I can get someone at OCLC to include this side of things, even if only for informational purposes.
>
> Tim
>
>
>>>> "Scott Cantor" <[hidden email]> 6/11/2009 10:41 AM >>>
> Timothy Mori wrote on 2009-06-11:
>> I acquired my IdP metadata and referenced that in the EZProxy
> configuration
>> and then it started working.  My only point about being the IdP provider
> is
>> that there's very little documentation on how to configure the IdP side of
>> things. I had to add relying party information and configure the ezproxy
>> metadata, but this was kind of a shot in the dark.
>
> I wouldn't expect EZProxy to document that part, but if they don't have any
> examples of metadata to use, or how to come up with the metadata for it,
> that would leave you without much to go on apart from
> https://spaces.internet2.edu/display/SHIB2/IdPRelyingParty 
>
> Note that in general, what you add is metadata. That's it. People seem to be
> constantly adding RelyingParty definitions to the IdP and that's rarely if
> ever required.
>
> -- Scott
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Ezproxy config for local IDP

Peter Schober
* Michael J. Wheeler <[hidden email]> [2009-06-11 17:35]:
> I would be very interested in some documentation on how you made it all
> work. At some point (hopefully soon), we are going to switch EZProxy from
> using LDAP Authentication to using Shib with our local IdP.

I just followed the EZproxy docs (SAML2 only), it's all in there.
First active SSL:
http://www.oclc.org/support/documentation/ezproxy/cfg/ssl/default.htm
Then configure SAML/Shib support:
http://www.oclc.org/support/documentation/ezproxy/usr/shibboleth.htm
-peter
Reply | Threaded
Open this post in threaded view
|

Re: Ezproxy config for local IDP

Peter Schober
* Peter Schober <[hidden email]> [2009-06-15 10:28]:
> I just followed the EZproxy docs (SAML2 only)

That should have been "I only tested with SAML2",
-peter
Reply | Threaded
Open this post in threaded view
|

Re: Ezproxy config for local IDP

Franck Borel-3
In reply to this post by Michael J. Wheeler-2
Hi Michael,

>
> I would be very interested in some documentation on how you made it  
> all work. At some point (hopefully soon), we are going to switch  
> EZProxy from using LDAP Authentication to using Shib with our local  
> IdP.
>


I just upgrade our EZProxy to let him speak SAML 2. Here is an example  
how you should configure your EZProxy:

EZProxy
=======

config.txt
------------
..
# Proxy by Hostname
Interface <IP adress>
LoginPort 80
LoginPortSSL 443
Interface ANY
LoginPort 2048
Option ProxyByHostname
Option IgnoreWildcardCertificate

RunAs ezproxy:users

Option SafariCookiePatch

MaxVirtualHosts 2000
MaxLifetime 60
MaxSessions 1000
MaxConcurrentTransfers 500

LogFormat %h %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i"
LogFile -strftime /opt/ezproxy-5.1c/log/ezproxy%Y%W.log
LogSPU -strftime /opt/ezproxy-5.1c/log/spu%Y%W.log %h %l %u %t "%r" %s  
%b "%{Referer}i" "%
{User-agent}i"

Audit Most
AuditPurge 4

ShibbolethMetadata \
    -EntityID=https://example.proxy.org/shibboleth-ezproxy \
    -File=YOUR-metadata.xml \
    -Cert=3

Group databaseuser
..

shibuser.txt
----------------

If Any(auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.7, "urn:mace:dir:entitlement:common-lib-terms
");
   Group +databaseuser

If Any(auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.7,"urn:example:admin");
  Admin

user.txt
----------
::Shibboleth
IDP20 https://example.org/idp
/Shibboleth

---------


Here is an example for the metadata of the EZProxy:

<EntityDescriptor entityID="https://example.org">
     <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
  urn:oasis:names:tc:SAML:2.0:protocol">
         <KeyDescriptor use="encryption">
           <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
             <ds:KeyName>example.org</ds:KeyName>
             <ds:X509Data>
               
<
ds:X509SubjectName
 >CN=example.org,C=US,ST=Ohio,L=Blabla,OU=Blablablub,O=Blablablubblub</
ds:X509SubjectName>
               <ds:X509Certificate>
                        YOUR CERTIFICATE
                </ds:X509Certificate>
             </ds:X509Data>
           </ds:KeyInfo>
         </KeyDescriptor>

         <KeyDescriptor use="signing">
           <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
             <ds:KeyName>example.org</ds:KeyName>
             <ds:X509Data>
               
<
ds:X509SubjectName
 >CN=example.org,C=US,ST=Ohio,L=Blabla,OU=Blablablub,O=Blablablubblub</
ds:X509SubjectName>
               <ds:X509Certificate>
                YOUR CERTIFICATE
              </ds:X509Certificate>
             </ds:X509Data>
           </ds:KeyInfo>
         </KeyDescriptor>
           <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
"
             Location="https://example.org/Shibboleth.sso/SAML2/POST"  
index="1"></AssertionConsumerService>
           <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post
"
             Location="https://example.org/Shibboleth.sso/SAML/POST"  
index="2"></AssertionConsumerService>
       </SPSSODescriptor>
       <Organization>
         <OrganizationName xml:lang="de">Blablablublub</
OrganizationName>
         <OrganizationDisplayName xml:lang="de">blabla</
OrganizationDisplayName>
         <OrganizationURL xml:lang="de">http://example.org</
OrganizationURL>
       </Organization>
       <ContactPerson contactType="technical">
         <GivenName>Mr.</GivenName>
         <SurName>Spok</SurName>
         <EmailAddress>[hidden email]</EmailAddress>
       </ContactPerson>
     </EntityDescriptor>



Hope this would help.


-- Franck



Reply | Threaded
Open this post in threaded view
|

Re: Ezproxy config for local IDP

Peter Schober
* Franck Borel <[hidden email]> [2009-06-17 09:19]:
> I just upgrade our EZProxy to let him speak SAML 2. Here is an
> example how you should configure your EZProxy:
[...]

If you're using federation supplied metadata (describing the IdPs that
you work with) be sure to check the metadata against a signing public
key, as mentioned in the docs:

# http://www.oclc.org/us/en/support/documentation/ezproxy/usr/shibboleth.htm
ShibbolethMetadata \
   -EntityID=http://ezproxy.example.edu/saml2 \
   -File=federation-metadata.xml \
   -Cert=1 \
   -URL=https://federation.example.org/federation-metadata.xml \
   -URLValidate=federation-metadata-signing.crt

> Here is an example for the metadata of the EZProxy:

EZproxy generates it's own metadata from the admin screen ("Manage
Shibboleth"), you just need to add the entityId for ezproxy to that
XML file, as per the docs.
-peter